Commonly encountered queries on SNI-based SSL profile are discussed under this topic.
What is Server Name Indication (SNI)?
Server Name Indication, or SNI, is a method of hosting multiple domain names virtually, for an SSL-enabled virtual service IP. A single virtual service IP is advertised for multiple virtual services.
What are the different SSL profiles that can be configured based on SNI?
SNI based parent, and child virtual services can be configured with two different SSL profiles. One SSL profile can be set to the parent virtual service, and another SSL profile can be associated to the child virtual service.
What are the benefits of configuring parent and child virtual service?
Parent and child SSL profiles can have different settings. This gives a lot of flexibilities and controls to the user to define SSL configuration at the child level.
How does SSL handshake happen when a parent and a child virtual service are configured? Following is the communication flow for SSL handshake when a parent and a child virtual service are configured:
TCP handshake is handled by the parent virtual service.
The client Hello comes to the parent virtual service.
The client Hello contains the SNI and hence the NSX Advanced Load Balancer is able to select the child virtual service.
The SSL profile of the child is used to allow or deny (based on SSL/TLS version) and select a cipher.
The child virtual service responds with server Hello, which includes the cipher and the child certificate.
What happens if an SSL Profile is not specified on a child virtual service?
If an SSL Profile is not specified on a child virtual service, the child virtual service will default to the SSL Profile of the parent virtual service.