Configuring SNI-to-TLS Mapping

The SNI-to-TLS Context Mapping table lets you configure up to 100 rules for mapping the 'server_name' (Server Name Indication or SNI) received in the (extended) "client hello" message, to a specific TLS Context configured on the device (see Configuring TLS Certificate Contexts).

TLS doesn't provide a mechanism for a client to tell a server (i.e., the device) the name of the server it is contacting. It may be desirable for clients to provide this information to facilitate secure connections, for example, to servers that host multiple virtual servers at a single underlying IP network address. To provide any of the server names (hostnames or domain names), clients may include an extension of type called 'server_name' in the (extended) "client hello" message during the TLS handshake. The SNI-to-TLS Context Mapping table lets you map this 'server_name' to a specific TLS Context, configured in the TLS Contexts table. In this way, each hostname can have its own TLS certificate (TLS Context), which the device sends to the client in the "server hello" message.

When a match is found between the 'server_name' extension in the "client hello" message and a row in the SNI-to-TLS Context Mapping table, the TLS connection is established using the TLS certificate (i.e., certificate and key) of the mapped TLS Context. However, the TLS connection continues using the configuration settings (e.g., TLS version, ciphers, and key exchange groups) of the TLS Context that was originally used to establish the connection. Any modification to the mapped TLS Context or the original TLS Context triggers an online update of the TLS connection according to the TLS Contexts modifications.

It's recommended to configure the mapped TLS Context and the TLS Context that is used to initially establish the connection with the same parameter settings, but different certificates.

The following procedure describes how to configure SNI-to-TLS Context mapping rules through the Web interface. You can also configure it through ini file [SNI2TLSMapping] or CLI (configure network > sni-to-tls-mapping).

➢

To configure SNI-to-TLS Context mapping rules:

Open the SNI-to-TLS Context Mapping table (Setup menu > IP Network tab > Security folder > SNI-to-TLS Context).

Click New; the following dialog box appears:

Configure an SNI-to-TLS Context mapping rule according to the parameters described in the table below.

Click Apply, and then save your settings to flash memory.

SNI-to-TLS Context Mapping Rules Table Parameter Descriptions

Parameter	Description
'Index' [Index]	Defines an index number for the new table record.
'Host Name' host-name [HostName]	Defines the 'server_name' in the "client hello" message. The valid value is a string of up to 255 characters (case-insensitive).
'TLS Context' tls-context [TLSContext]	Assigns a TLS Context, listed in the TLS Contexts table, to this rule. If the incoming "client hello" message includes a 'server_name' extension type whose value is the same as configured in the 'Host Name' parameter (above), then the device uses this TLS Context. By default, no TLS Context is assigned.

Parameter

Description

'Index'

[Index]

Defines an index number for the new table record.

'Host Name'

host-name

[HostName]

Defines the 'server_name' in the "client hello" message.

The valid value is a string of up to 255 characters (case-insensitive).

'TLS Context'

tls-context

[TLSContext]

Assigns a TLS Context, listed in the TLS Contexts table, to this rule. If the incoming "client hello" message includes a 'server_name' extension type whose value is the same as configured in the 'Host Name' parameter (above), then the device uses this TLS Context.

By default, no TLS Context is assigned.