Application Delivery (ADX)

Reply
jf
New Contributor
Posts: 4
Registered: ‎07-15-2011
Accepted Solution

SSL SNI (server name identification) fails on 12.5.02m

Hello,

 

i am trying to get SSL SNI on 12.5.02m to work. However it fails when trying to configure it:

 

server virtual test.xyz 1.2.3.4

port ssl ssl-terminate testcert

port ssl ssl-sni testcert2

 

Error : Fail to bind testcert2 to virutal-port. Default SSL profile binding already exist on virtual-port [test.xyz:443]
Error - Failed to create virtual service port

 

(btw, there's a typo in the code: "virutal")

 

The error message somehow suggests to not use any profile name after the "port ssl ssl-terminate" command but its not possible to exclude the ssl profile name on it. If i dont use "port ssl ssl-terminate" at all, the the sni command also refuses:

SNI only support for port with SSL-termination or SSL-proxy
Error - Failed to create virtual service port

 

 

So i wonder if SSL SNI even works or is this feature not implemented?

 

Best regards,

Jonas

Highlighted
dej
New Contributor
Posts: 3
Registered: ‎02-04-2015

Re: SSL SNI (server name identification) fails on 12.5.02m

Hello Jonas,

 

From the error message it's acting as if both profiles have configuration that ADX views as default.  Does testcert2 have 'sni-servernname' configured?  Example configuration below.

 

ssl profile SSL-DEFAULT
key key-default
certificate cert-default

 

ssl profile SNI-TEST
sni-servername “site2.com”
key key-2017
certificate cert-2017

 

server virtual TEST-VS 10.10.10.10
port ssl
port ssl ssl-term SSL-DEFAULT
port ssl ssl-sni SNI-TEST

jf
New Contributor
Posts: 4
Registered: ‎07-15-2011

Re: SSL SNI (server name identification) fails on 12.5.02m

Thanks alot, it works now!

 

I didnt have "sni-servername" in the ssl profile. The error message is somewhat confusing, maybe that should get fixed and display a more specific message to this.

Also i couldnt find any documentation about SSL SNI at all (seems this feature was "silently" integrated without documentation)?

 

dej
New Contributor
Posts: 3
Registered: ‎02-04-2015

Re: SSL SNI (server name identification) fails on 12.5.02m

Awesome news!  That error is a bit confusing to read if you haven't already had experience with the SNI config.  Brocade does review these boards or you could forward the feedback regarding the error to your Brocade contact.  They are greatly receptive to feedback.  I've linked a pdf for a code version you are on, it contains additional information for the SNI configuration.

 

http://www.brocade.com/content/dam/secure-external/product-guides/brocade-serveriron-adx/12-5-02h/ServerIronADX_12.5.02m_DocUpdate.pdf

 

Take care,

 

-D

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.