SNI (Server Name Indication) Requirement

Overview

The WAF requires clients to send a Server Name Indication (SNI) hostname during the TLS handshake. Connections that do not include SNI will fail with a TLS internal_error (alert 80) and will not reach your origin server.

SNI is part of the TLS specification and is supported by all modern browsers, HTTP clients, and operating systems. Most applications already send SNI without any special configuration.

Why SNI Is Required

The WAF uses SNI to determine which SSL certificate to present during the TLS handshake. Without it, the firewall cannot route the connection to the correct certificate, and the handshake fails before any HTTP traffic is exchanged.

When This Matters

SNI is handled automatically by modern software. You only need to check your SNI configuration if you are using:

• Java applications using the BouncyCastle TLS/JSSE provider (does not always send SNI by default)
• Custom HTTP clients built on low-level TLS libraries where SNI must be configured manually
• Older versions of Python’s urllib or httplib (Python 2.x)
• Older versions of Ruby’s net/http (Ruby 1.x)
• curl versions older than 7.18.1
• OpenSSL versions older than 0.9.8j (the -servername flag is required when using s_client)
• .NET Framework versions older than 4.5
• Embedded systems, IoT devices, or legacy middleware with outdated TLS stacks
• Proxy servers or load balancers that terminate and re-initiate TLS connections without forwarding the original SNI hostname

How to Verify

You can test whether SNI is working correctly using openssl s_client. Replace yourdomain.com with your WAF-protected domain.

With SNI (should succeed):

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Without SNI (will fail with alert 80):

openssl s_client -connect yourdomain.com:443

If the first command shows your certificate and the second returns tlsv1 alert internal error, SNI is required and your client must be configured to send it.

Fixing SNI in Common Environments

Java (BouncyCastle JSSE)

Set the SNI hostname explicitly on the SSL connection:

java SSLParameters sslParams = new SSLParameters(); sslParams.setServerNames(List.of(new SNIHostName("yourdomain.com"))); sslSocket.setSSLParameters(sslParams);

Alternatively, use Java’s built-in JSSE provider instead of BouncyCastle. Java 8+ sends SNI by default when using HttpsURLConnection or HttpClient.

Python 2.x

Upgrade to Python 3.x, which sends SNI by default. If upgrading is not possible, install the urllib3 and pyOpenSSL packages.

curl

Update to curl 7.18.1 or later, which includes SNI support.

OpenSSL s_client

Always include the -servername flag when testing:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com

Need Help?

If you are unsure whether your client sends SNI or need help configuring it:

• Contact us at support@expeditedsecurity.com
• Book a Call at https://app.harmonizely.com/expedited/30-min