Allowing Non-SNI Clients

In the top right corner of the Inbound Address screen is the button Allow non-SNI clients, which comes disabled by default. When enabled, the gateway is configured to accept requests that do not include SNI (server name indication). When kept disabled, only requests that include SNI are accepted.

What is SNI?

SNI is part of the TLS protocol and was implemented to enable secure connection with dedicated servers in case of virtual hosting (that is, when multiple host names — or virtual servers — share the same IP/server). Virtual servers presented a problem for TLS because the TLS handshake happens before the HTTP session (which is when the server understands which specific address is being accessed). What SNI does is add the information of which host name (or virtual server) will be accessed as part of the handshake process; since the server knows the host name as of the handshake, it also knows which certificate to present.

It is important to keep in mind that the recommendation is to only accept requests that include SNI — that is, that indicate the host name as part of the TLS handshake. This is because SNI was implemented exactly to provide better security for virtual hosting, allowing each virtual server to have its own certificate and the TLS handshake to happen in cases of shared IPs. Also, as SNI is already the long-standing recommended standard (it was added to RFC 3546 in 2003), clients that do not adopt it tend to be legacy applications. Ideally, these applications should be modernized to conform to current security standards.

If you still wish to accept non-SNI requests, enable the button Allow non-SNI clients in the top right corner of the Inbound Address screen:

non sni

When the button is enabled, you must confirm your choice. Then, a window will open (see image below) for you to select the inbound address that will be the default server. This means that all incoming requests that do not include SNI will be treated as being directed to the chosen inbound address and the certificate registered for this inbound address will be presented during the TLS handshake. Note that the routing of the calls is not modified; the default server is there so that the certificate of the chosen inbound address is presented. For this reason, we suggest that the inbound address chosen as the default server contains a wildcard certificate covering the host names that share the same IP.

non sni select

Once you have chosen the inbound address for default server, click SELECT AND SAVE. As a result, you will see Allow non-SNI clients enabled.

You may only choose one inbound address to be the default server. However, you can change it at any time. In order to do so, click on the icon icon settings and select another inbound address in the modal window that will appear. The icon to choose another inbound address becomes active only after Allow non-SNI clients is enabled.

It is also possible to disable the option at any time by deactivating the button Allow non-SNI clients. In this case, requests that do not include SNI will not be accepted by the gateway.

Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]