TLS Server Name Indication (TLS SNI)
TLS Server Name Indication (TLS SNI),used when a single virtual IP server needs to host multiple domains.
TLS SNI Support 即一个 IP 地址上支持多个域名的 SSL 站点,或者说一个 IP 上支持绑定多个 SSL 证书。
支持 TLS SNI 的浏览器
Browsers/clients with support for TLS server name indication:
- Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
- Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
- Firefox 2.0 or later
- Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
- Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
- Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)
To find out if your browser supports SNI, you can go to https://alice.sni.velox.ch/.
F5 BIG-IP TLS SNI Support
- 版本支持
主流支持版本(v11.6及以上)都可以支持,参看官方文档:v11.6,v12.1,v13.1
- 配置要点
参看:K13452
分别创建多个域名的(Client or Server)SSL Profile
Server Name,分别填写域名(可选),如 www.a.com,支持通配符 *.a.com 也支持 * 代表任意域名,另外一个如 www.b.com
Default SSL Profile for SNI,其中一个域名需要勾选作为默认
Virtual Servers 的 SSL Profile(Client or Server)同时选择上述创建的多个 SSL Profile
注意:在 BIG-IP 13.x 及以前版本,多个 SSL Profile 的 Ciphers 和 Client Authentication 属性需要配置一致(14.x 及以后版本无此要求)
- iRules
另外请注意,没有自动机制允许 BIG-IP 根据在客户端 SSL Hello 消息中接收到的 “Server Name” 值来选择 SSL Profile。
不过,在 iRule 的额外帮助下,您可以根据从客户机收到的初始 HTTP 请求中接收的“主机名”报头值强制选择正确的 serverssl profile。
when HTTP_REQUEST {
set hostname [getfield [HTTP::host] ":" 1]
}
when SERVER_CONNECTED {
switch -glob [string tolower $hostname] {
"siteA.com" {
SSL::profile serverssl-siteA
}
"siteB.com" {
SSL::profile serverssl-siteB
}
default {
#default serversssl profile to be selected if Host header value cannot be matched with predefined values
SSL::profile serverssl
}
}
}
Nginx TLS SNI Support
- 版本支持
参看官方文档
OpenSSL supports SNI since 0.9.8f version if it was built with config option “–enable-tlsext”. Since OpenSSL 0.9.8j this option is enabled by default. If nginx was built with SNI support, then nginx will show this when run with the “-V” switch:
$ nginx -V
...
TLS SNI support enabled
...
Nginx 0.x 版本已经支持 TLS SNI
- The SNI support status has been shown by the “-V” switch since 0.8.21 and 0.7.62.
- The
sslparameter of the listen directive has been supported since 0.7.14. Prior to 0.8.21 it could only be specified along with thedefaultparameter.- SNI has been supported since 0.5.23.
- The shared SSL session cache has been supported since 0.5.6.
- Version 1.9.1 and later: the default SSL protocols are TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
- Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
- Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, SSLv3, and TLSv1.
- Version 1.0.5 and later: the default SSL ciphers are “
HIGH:!aNULL:!MD5”.- Version 0.7.65, 0.8.20 and later: the default SSL ciphers are “
HIGH:!ADH:!MD5”.- Version 0.8.19: the default SSL ciphers are “
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM”.- Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
“ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP”.
- 一般配置方法
http {
......
server {
listen 443 ssl http2;
server_name a.sysin.org;
ssl_certificate a.sysin.org.crt;
ssl_certificate_key a.sysin.org.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'AES128+EECDH:AES128+EDH';
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
charset utf-8;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
}
server {
listen 443 ssl http2;
server_name b.sysin.org;
ssl_certificate b.sysin.org.crt;
ssl_certificate_key b.sysin.org.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'AES128+EECDH:AES128+EDH';
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
charset utf-8;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
}
}
IIS TSL SNI Support
参看官方文档
- 版本支持
要求 IIS 8.0 (Windows 2012)及以上版本
- 配置要点
创建多个 HTTPs 站点时,需要填写以下内容
Hostname: (注意与 SSL 证书名称保持一致)
Require Server Name Indication: 需要勾选