Forum Discussion

cmcnicholas's avatar
Feb 23, 2023

server_name extension missing from Client Hello

I ran a trace recently on some traffic and while reviewing in Wireshark I see that in some instances the server_name extension details are visible in the client hello. However, seconds later in client hello the same extension is missing. This corresponds with the behaviour we're seeing in our testing. When the client hello contains the server_name extension we get a working 201 type response. However, when it is missing we get 503 errors.

Is there a configuration/explanation as to why this might be happening? How to we ensure that the server_name extension detail is always included in the client hello?

  • Paulius's avatar
    Paulius
    Apr 19, 2023

    cmcnicholas These are the actual client connections failing or is this a log you are parsing through that shows the SSL error? The reason I ask is because it could be the health check from the F5 that is causing the error because health checks originate from the self IP while load balanced traffic originates from the floating IP of the F5. If it's the client IP it might be worth running some captures to see if the F5 receives the SNI because it could be a miss-configuration on the client side. If you want to enable SNI on the health monitor make sure you have the SSL profile associated to the health monitor and you fill in the SNI filed in the SSL profile shown below.

  • cmcnicholas When you say server_name extension do you mean server name indication (SNI)? If you are referring to SNI, from my understanding this is added in by the client and not the F5 or server and shoud be maintained by the client. If you want to ensure that the F5 isn't doing anything with it you can run a tcpdump on the F5 on the client side of the connection to validate that the request always arrives with the SNI field. You can also run a tcpdump/wireshark on the client side to make sure the client is sending the SNI field.

  • If the server name is missing from the client, I suggest to try to troubleshoot this on the client itself. However, if your virtual server is doing re-encryption (client and server ssl profiles) then you may need to configure your server ssl profile to include the sni server name in the requests from F5 to the backend server : https://my.f5.com/manage/s/article/K39408450

  • Another observation:

    The proxy server we hit requires SNI for inbound traffic coming from our side. We have input the ServerName in the serversslprofile to ensure that the SNI extension is in thr Client Hello. This works.

    When we run about 20 tests, about half will work fine because we see the SNI extension in the Client Hello and we hit the API. The other half fail however because there is no SNI extension in the Client Hello and we can't access the API because the server has no idea which certificate to server to us.

    When the connection doesn't work we get an error in the logs:

    [ssl:error][pid25730:tid 140171399874304]AH02033: No hostname was provided via SNI for a name based virtual host.

    Observation:

    Every time we don't see the SNI extension in the Client Hello, it has come from the Self IP. Every time we do see the SNI extension, it has come from the Float IP.

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP

      cmcnicholas These are the actual client connections failing or is this a log you are parsing through that shows the SSL error? The reason I ask is because it could be the health check from the F5 that is causing the error because health checks originate from the self IP while load balanced traffic originates from the floating IP of the F5. If it's the client IP it might be worth running some captures to see if the F5 receives the SNI because it could be a miss-configuration on the client side. If you want to enable SNI on the health monitor make sure you have the SSL profile associated to the health monitor and you fill in the SNI filed in the SSL profile shown below.