Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 7753 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNI Support

Timothy Stewart

Is SNI supported by XG Firewall?   I have multiple SSL certs for multiple domains and one IP and I would like to be able to route traffic to virtual web servers based on this host name inspection. Web servers like Apache, nginx, and IIS as well as every modern browser support it. I would like to manage this and SSL termination on Sophos rather than something downstream.

 



This thread was automatically locked due to age.
Parents
  • 0

    Never used it myself...but it seems to me all ingredients are present .
    Adding a "business Application rule" , web-server-protection (WAF) , gives you https checkbox, and allows domain name and matching certificate to choose.  Each https site will require its own waf rule, and its own certificate

  • 0 in reply to sixteen again

    It doesn't work.  It does a "round robin" approach where it will route it to a (seemingly) random host and you get a certificate error, rightfully so since the certificate that is being used to connect doesn't match the host you are sending it to.  

    It works fine for wildcard certs, which makes sense since every subdomain matches the wildcard cert, however it does not work for different domains.  Even though it is configurable, I think this interface is for wildcard certs and not SNI.

    I don't think XG Firewall does SNI, which it needs in order to know which host to route it too.  Since it connects to SSL before requesting the host, it can only listen on one port (443) and route to one host after the connection (unless a wildcard) unless they use SNI where the client can ask for the host during the SSL handshake, then XG Firewall will know which virtual host to send it to, even for a different domain.  I suspect they will also need to do this if they ever want to support Let's Encrypt cert management on XG firewall.

    If it isn't supported on XG, I heard it is supported on UTM, however that doesn't help.  If that's the case I will just stand up nginx down stream, manage my certs there, and start evaluating other products.

     

    I added the idea, but it would be nice to know if there is a bug or it doesn't work intentionally.

    http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/17906929-server-name-indication-sni-multiple-ssl-one-ip

    Thanks.

Reply
  • 0 in reply to sixteen again

    It doesn't work.  It does a "round robin" approach where it will route it to a (seemingly) random host and you get a certificate error, rightfully so since the certificate that is being used to connect doesn't match the host you are sending it to.  

    It works fine for wildcard certs, which makes sense since every subdomain matches the wildcard cert, however it does not work for different domains.  Even though it is configurable, I think this interface is for wildcard certs and not SNI.

    I don't think XG Firewall does SNI, which it needs in order to know which host to route it too.  Since it connects to SSL before requesting the host, it can only listen on one port (443) and route to one host after the connection (unless a wildcard) unless they use SNI where the client can ask for the host during the SSL handshake, then XG Firewall will know which virtual host to send it to, even for a different domain.  I suspect they will also need to do this if they ever want to support Let's Encrypt cert management on XG firewall.

    If it isn't supported on XG, I heard it is supported on UTM, however that doesn't help.  If that's the case I will just stand up nginx down stream, manage my certs there, and start evaluating other products.

     

    I added the idea, but it would be nice to know if there is a bug or it doesn't work intentionally.

    http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/17906929-server-name-indication-sni-multiple-ssl-one-ip

    Thanks.

Children