Forum Discussion
Hmm. Well, here's what you need for SNI to work:
-
Each client SSL profile that you apply to the VIP needs a UNIQUE server name. One can be blank if it's set as the default profile, but it's generally a better idea to explicitly add the server name to each. This is the name that the client uses to address the server. <- it MUST match both the requested server name and the server name (or a subject alt name) in the client SSL profile's assigned certificate.
-
The client must support the TLS protocol, at the very least version 1.0, and the client and server must negotiate TLS (versus SSL).
For the sake of testing, you can do the following:
-
Apply each client SSL profile to the VIP individually and very that the profile and client meet each other's negotiation requirements.
-
Capture the traffic between the client and virtual server with SSLDUMP. This will provide additional insight into why the handshake may be failing.