PXPlus support for SNI with TLS1.2

[Loren Doornek]

A web service that we use is switching to using SNI (Server Name Indication) for TLS1.2 connections.  In a nutshell, we need to specify the servername that we are trying to connect to when making a secure TCP connection.  I suspected that PXPlus was ahead of the game and already added support for this, and I wasn't disappointed! 

In testing this on Linux server with the latest OpenSSL libraries, I found that I can successfully make a connection using version 14 (ie: tcb(29)=14100000), but not when using version 12 (ie: tcb(29)=12500000). 

Can you confirm that SNI is supported by PXPlus, and what version it was added?  Also, is there any documentation on how it works or modifying how it works (for example, is there a method to specify a different servername using a tcp_opt with the [TCP] command, such as "SERVERNAME=xxxxx")?

[Loren Doornek]

I see that the version 14 release notes (https://manual.pvxplus.com/PXPLUS/pxplus/vers1400.htm)  do note "Added: Support for SNI (Server Name Indication) with TLS 1.2", but no other documentation.  So, that confirms what version added the support for SNI.

Can you confirm that PXPlus will set the 'servername' as whatever server name is used in the [TCP] open?

[Mike King]

That was added with PxPlus 2017 (V14) and was mentioned here:
https://manual.pvxplus.com/page/pxplus/vers1400.htm

There is no means to override the server name.  It uses the name supplied in the TCP address.

Technically though you could likely fake it out by having a custom /etc/hosts file with the name you want to use pointing to the IP address the server is on. 

[Loren Doornek]

Thanks for the confirmation about the server name, Mike, and the /etc/hosts workaround.  I don't need to change the servername from what I'm using to open the channel as far as I know, but it's good to have that workaround in my back pocket just in case!  And kudos to you and your staff for already having this solution built into PXPlus!

[Mike King]

No problem. 

We try to keep relatively current with changes in technology such as SNI support.  Our goal is to have the features available to you before you need them.

For example, in PxPlus 2019 (the current release) we implemented logic to allow you to use "Let's Encrypt" SSL certificates which are both secure and FREE. Going forward, we have just finished doing our preliminary changes and testing to support TLS1.3 which was finalized last year and just released in Redhat 8 in May this year.  We suspect over the next 48 months that clients concerned over security will need to support this newer protocol and we are making every effort to be sure we are ready for that transition.

Keeping up with the changing requirements to allow you to keep your applications secure is one of our major focuses; and a major reason it is important that you keep up with our changes as new versions of PxPlus are released.

[Loren Doornek]

Mike, do you know if PXPlus includes the port in the SNI information?  For example, if I open [tcp]www.contoso.com:443, does PXPlus set the SNI-Host as "www.contoso.com" or "www.contoso.com:443"?

[Mike King]

Loren

To the best of my knowledge SNI is port independant.  When we make the call to the system to enable SNI we pass the TCP socket and the host name.  If the SSL logic uses the port number form the socket I don't know.

I suspect that its the responsibility of the host to decide/detect if there are different certificates on each port.