Creating an SSL SNI server profile

How to create the SSL SNI server profile that secures connections between clients and the DataPower® Gateway.

About this task

An SSL SNI server profile defines a virtual SSL server that routes the incoming traffic to the SSL server profiles that have the actual key material and SSL protocol parameters. Each SSL SNI server profile requires an SNI map that provides mapping of host names to SSL server profiles.

You can define a default server profile.

• When defined, the following rules apply.
  • When the client does not send a ClientHello SNI extension, the default server profile processes the request.
  • When the client sends a ClientHello SNI extension but it does not match a configured host name mapping, the request is rejected.
• When not defined and the client does not send a ClientHello SNI extension, the request is rejected.

You can use the var://service/tls-info variable to get the TLS connection information between clients and the DataPower Gateway, including the SNI extension header from the client, if any, the TLS version of the connection, the cipher, and the peer certificate, if any. With this variable, you can add extra checking. For example, to ensure that the host name in the SNI extension from the client matches the host name in the Host header.

For the following settings, if they are defined in both the SSL SNI server profile and the referenced SSL server profile in the SNI map, the settings in the SSL SNI server profile overwrite the settings in the referenced SSL server profile.

• Protocols
• Advanced settings
  • Maximum SSL session duration
  • Maximum number of client initiated renegotiations to allow

Procedure

1. In the search field, enter SSL.
2. From the search results, select SSL SNI Server Profile.
3. Click Add or New.
4. Define the basic properties: Name, administrative state, and descriptive summary.
5. Define general settings.
   1. From the Protocols list, select the SSL and TLS protocol versions to support.
   2. From the Host name to profile mapping list, select the name of the SNI map.
   3. Optional: From the Default server profile list, select the SSL server profile to process the request when the ClientHello SNI extension is not provided.
6. Optional: On the Advanced tab, define advanced settings.
   1. From the Advanced SSL options list, select the options to apply to SSL connections.
   2. When you select the Set maximum SSL session duration option: In the Maximum SSL session duration field, enter the maximum time to maintain an SSL session.
   3. When you select the Set maximum number of client initiated renegotiations to allow option: In the Maximum client initiated renegotiations field, enter the maximum number of renegotiation attempts that a client can initiate per session.