For more details, please see ourCookie Policy.


Application Delivery (ADX)

Reply
jf
New Contributor
jf
Posts: 4
Registered: ‎07-15-2011
Accepted Solution

SSL SNI (server name identification) fails on 12.5.02m

‎03-07-2017 08:26 AM

Hello,

 

i am trying to get SSL SNI on 12.5.02m to work. However it fails when trying to configure it:

 

server virtual test.xyz 1.2.3.4

port ssl ssl-terminate testcert

port ssl ssl-sni testcert2

 

Error : Fail to bind testcert2 to virutal-port. Default SSL profile binding already exist on virtual-port [test.xyz:443]
Error - Failed to create virtual service port

 

(btw, there's a typo in the code: "virutal")

 

The error message somehow suggests to not use any profile name after the "port ssl ssl-terminate" command but its not possible to exclude the ssl profile name on it. If i dont use "port ssl ssl-terminate" at all, the the sni command also refuses:

SNI only support for port with SSL-termination or SSL-proxy
Error - Failed to create virtual service port

 

 

So i wonder if SSL SNI even works or is this feature not implemented?

 

Best regards,

Jonas

Report Inappropriate Content
Message 1 of 4 (3,790 Views)
0 Kudos
dej
New Contributor
dej
Posts: 3
Registered: ‎02-04-2015

Re: SSL SNI (server name identification) fails on 12.5.02m

‎03-08-2017 09:17 PM

Hello Jonas,

 

From the error message it's acting as if both profiles have configuration that ADX views as default.  Does testcert2 have 'sni-servernname' configured?  Example configuration below.

 

ssl profile SSL-DEFAULT
key key-default
certificate cert-default

 

ssl profile SNI-TEST
sni-servername “site2.com”
key key-2017
certificate cert-2017

 

server virtual TEST-VS 10.10.10.10
port ssl
port ssl ssl-term SSL-DEFAULT
port ssl ssl-sni SNI-TEST

Report Inappropriate Content
Message 2 of 4 (3,740 Views)
jf
New Contributor
jf
Posts: 4
Registered: ‎07-15-2011

Re: SSL SNI (server name identification) fails on 12.5.02m

‎03-09-2017 02:48 AM

Thanks alot, it works now!

 

I didnt have "sni-servername" in the ssl profile. The error message is somewhat confusing, maybe that should get fixed and display a more specific message to this.

Also i couldnt find any documentation about SSL SNI at all (seems this feature was "silently" integrated without documentation)?

 

Report Inappropriate Content
Message 3 of 4 (3,728 Views)
0 Kudos
dej
New Contributor
dej
Posts: 3
Registered: ‎02-04-2015

Re: SSL SNI (server name identification) fails on 12.5.02m

‎03-09-2017 06:54 AM

Awesome news!  That error is a bit confusing to read if you haven't already had experience with the SNI config.  Brocade does review these boards or you could forward the feedback regarding the error to your Brocade contact.  They are greatly receptive to feedback.  I've linked a pdf for a code version you are on, it contains additional information for the SNI configuration.

 

http://www.brocade.com/content/dam/secure-external/product-guides/brocade-serveriron-adx/12-5-02h/ServerIronADX_12.5.02m_DocUpdate.pdf

 

Take care,

 

-D

Report Inappropriate Content
Message 4 of 4 (3,713 Views)
0 Kudos

Join the Broadcom Support Community

Get quick and easy access to valuable resources across the Broadcom Community Network.

Register