TLS Server Name Indication (TLS SNI) Support

关于 TLS SNI 的配置,主流浏览器和服务器的支持情况

Posted by sysin on 2020-06-01
Estimated Reading Time 5 Minutes
Words 997 In Total
Viewed Times

作者:gc(at)sysin.org,主页:www.sysin.org

TLS Server Name Indication (TLS SNI),used when a single virtual IP server needs to host multiple domains.

TLS SNI Support 即一个 IP 地址上支持多个域名的 SSL 站点,或者说一个 IP 上支持绑定多个 SSL 证书。

支持 TLS SNI 的浏览器

Browsers/clients with support for TLS server name indication:

  • Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
  • Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
  • Firefox 2.0 or later
  • Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
  • Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
  • Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

To find out if your browser supports SNI, you can go to https://alice.sni.velox.ch/.

F5 BIG-IP TLS SNI Support

  • 版本支持

主流支持版本(v11.6及以上)都可以支持,参看官方文档:v11.6v12.1v13.1

  • 配置要点

参看:K13452

分别创建多个域名的(Client or Server)SSL Profile

Server Name,分别填写域名(可选),如 www.a.com,支持通配符 *.a.com 也支持 * 代表任意域名,另外一个如 www.b.com

Default SSL Profile for SNI,其中一个域名需要勾选作为默认

Virtual Servers 的 SSL Profile(Client or Server)同时选择上述创建的多个 SSL Profile

注意:在 BIG-IP 13.x 及以前版本,多个 SSL Profile 的 Ciphers 和 Client Authentication 属性需要配置一致(14.x 及以后版本无此要求)

  • iRules

另外请注意,没有自动机制允许 BIG-IP 根据在客户端 SSL Hello 消息中接收到的 “Server Name” 值来选择 SSL Profile。

不过,在 iRule 的额外帮助下,您可以根据从客户机收到的初始 HTTP 请求中接收的“主机名”报头值强制选择正确的 serverssl profile。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
when HTTP_REQUEST {
set hostname [getfield [HTTP::host] ":" 1]
}

when SERVER_CONNECTED {
switch -glob [string tolower $hostname] {
"siteA.com" {
SSL::profile serverssl-siteA
}
"siteB.com" {
SSL::profile serverssl-siteB
}
default {
#default serversssl profile to be selected if Host header value cannot be matched with predefined values
SSL::profile serverssl
}
}
}

Nginx TLS SNI Support

  • 版本支持

参看官方文档

OpenSSL supports SNI since 0.9.8f version if it was built with config option “–enable-tlsext”. Since OpenSSL 0.9.8j this option is enabled by default. If nginx was built with SNI support, then nginx will show this when run with the “-V” switch:

1
2
3
4
$ nginx -V
...
TLS SNI support enabled
...

Nginx 0.x 版本已经支持 TLS SNI

  • The SNI support status has been shown by the “-V” switch since 0.8.21 and 0.7.62.
  • The ssl parameter of the listen directive has been supported since 0.7.14. Prior to 0.8.21 it could only be specified along with the default parameter.
  • SNI has been supported since 0.5.23.
  • The shared SSL session cache has been supported since 0.5.6.
  • Version 1.9.1 and later: the default SSL protocols are TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
  • Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
  • Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, SSLv3, and TLSv1.
  • Version 1.0.5 and later: the default SSL ciphers are “HIGH:!aNULL:!MD5”.
  • Version 0.7.65, 0.8.20 and later: the default SSL ciphers are “HIGH:!ADH:!MD5”.
  • Version 0.8.19: the default SSL ciphers are “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM”.
  • Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP”.
  • 一般配置方法
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
http {

......

server {
listen 443 ssl http2;
server_name a.sysin.org;
ssl_certificate a.sysin.org.crt;
ssl_certificate_key a.sysin.org.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'AES128+EECDH:AES128+EDH';
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

charset utf-8;
#access_log /var/log/nginx/host.access.log main;

location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
}

server {
listen 443 ssl http2;
server_name b.sysin.org;
ssl_certificate b.sysin.org.crt;
ssl_certificate_key b.sysin.org.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'AES128+EECDH:AES128+EDH';
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

charset utf-8;
#access_log /var/log/nginx/host.access.log main;

location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
}
}

IIS TSL SNI Support

参看官方文档

  • 版本支持

要求 IIS 8.0 (Windows 2012)及以上版本

  • 配置要点

创建多个 HTTPs 站点时,需要填写以下内容

Hostname: (注意与 SSL 证书名称保持一致)

Require Server Name Indication: 需要勾选




如果文章中使用的内容和图片侵犯了您的版权,请联系作者删除。如果您喜欢这篇文章或者觉得它对您有用,欢迎您发表评论,也欢迎您分享这个网站,或者赞赏一下作者,谢谢!


支付宝打赏 微信打赏

赞赏一下