Forum Discussion
cmcnicholas
Cirrus
Cirrusserver_name extension missing from Client Hello
I ran a trace recently on some traffic and while reviewing in Wireshark I see that in some instances the server_name extension details are visible in the client hello. However, seconds later in clien...
cmcnicholas These are the actual client connections failing or is this a log you are parsing through that shows the SSL error? The reason I ask is because it could be the health check from the F5 that is causing the error because health checks originate from the self IP while load balanced traffic originates from the floating IP of the F5. If it's the client IP it might be worth running some captures to see if the F5 receives the SNI because it could be a miss-configuration on the client side. If you want to enable SNI on the health monitor make sure you have the SSL profile associated to the health monitor and you fill in the SNI filed in the SSL profile shown below.
cmcnicholasCirrus
CirrusAnother observation:
The proxy server we hit requires SNI for inbound traffic coming from our side. We have input the ServerName in the serversslprofile to ensure that the SNI extension is in thr Client Hello. This works.
When we run about 20 tests, about half will work fine because we see the SNI extension in the Client Hello and we hit the API. The other half fail however because there is no SNI extension in the Client Hello and we can't access the API because the server has no idea which certificate to server to us.
When the connection doesn't work we get an error in the logs:
[ssl:error][pid25730:tid 140171399874304]AH02033: No hostname was provided via SNI for a name based virtual host.
Observation:
Every time we don't see the SNI extension in the Client Hello, it has come from the Self IP. Every time we do see the SNI extension, it has come from the Float IP.
- Paulius
MVP
cmcnicholas These are the actual client connections failing or is this a log you are parsing through that shows the SSL error? The reason I ask is because it could be the health check from the F5 that is causing the error because health checks originate from the self IP while load balanced traffic originates from the floating IP of the F5. If it's the client IP it might be worth running some captures to see if the F5 receives the SNI because it could be a miss-configuration on the client side. If you want to enable SNI on the health monitor make sure you have the SSL profile associated to the health monitor and you fill in the SNI filed in the SSL profile shown below.