If SNI is enabled on Edge (between Edge and Client...

sudheendras · 07-14-2016 08:02 AM

SNI relies on the client supporting SNI and sending the Server Name extension in the SSL Client Hello. If I enable SNI on Apigee Edge, will it impact non-SNI clients?

Report Inappropriate Content

question - where are you going to enable it? I am an on prem customer so I am curious as to what config file + component (i know that doesnt matter to cloud customers.. but it will give me a better idea as to what you are trying to accomplish)

sudheendras

I was trying to understand the impact on non-SNI client applications when SNI is enabled on the north-bound side (between client application & Edge). Well I guess the answer is "if SSL Client Hello does not contain the SNI header then Edge disconnects". So it's not ideal to enable SNI if some of your client applications does not support it. I guess the answer would be same for a private cloud deployment as well.

However supporting SNI towards a backend, does not require any configuration in Edge.

According to this doc page - If your target backend is configured to support SNI, you can enable this feature by setting the following property to true in /opt/apigee4/conf/apigee/message-processor/system.properties on the Message Processors and restart them.

jsse.enableSNIExtension=true

madhans

The clients that do not support SNI receive a default certificate. Choosing the default carefully for legacy applications could take care of majority of the usecases.

rajeshnimmadan

Please tell me is there any impact on non-SNI clients while enabling SNI in Apigee edge cloud.

If SNI is enabled on Edge (between Edge and Client), will it impact non-SNI clients?