Akamai not using SNI towards the endpoint RRS feed

  • Question

  • I have created an Azure CDN with the S2 Standard Akamai tier and created an endpoint using the "custom origin" origin type and then specifying the Origin hostname (as name) and set the origin host header to the name.

    This is working nicely for HTTP connections but HTTPS is failing with:

    An error occurred while processing your request.
    Reference #30.d4f31502.1473495140.27395c54

    The target system hosts multiple websites and looking at the PCAP trace, akamai sends a SSL Client Hello that does not include the Serve Name Indication (SNI) and then gets a random certificate sent. Can akamai send a Client Hello with SNI included to the backend?

    I tried to work around by assigning a unique IPv6 address to the website but that doesn't seem to be possible either (the endpoint can not be provisioned).

    Saturday, September 10, 2016 8:21 AM

All replies

  • Hi Holger,

    We currently do not support SNI with Akamai, but hope to in the near future.

    Monday, September 12, 2016 6:13 PM
  • Hi,

    the legacy app runs on an IPv4 address shared with other applications. What is the status to support an IPv6 address as the origin of an endpoint?

    Tuesday, September 13, 2016 5:46 AM
  • Use of IPv6 is currently just supported if you are specifying a hostname for your origin when you create your CDN endpoint. It is not supported if you specify the IPv6 address for the origin. Are you looking for support to specify the IPv6 address for the origin hostname when you create a CDN endpoint?
    Wednesday, September 14, 2016 9:30 PM
  • This doesn't seem to work either. As SNI is not supported by Akamai I added another IPv6 address to the frontend server, set the server_name for this IPv6 address and created an AAAA record and use this as origin hostname in the endpoint configuration. It ends with this failure:

    Service Unavailable - DNS failure
    The server is temporarily unable to service your request. Please try again later.
    Reference #11.d4f31502.1474309341.154f2a13

    I assume it fails because no A record is available for my origin (which is the point). Can you please confirm.

    Monday, September 19, 2016 6:27 PM
  • Specifying any IP address (IPv6 or IPv4) for the hostname for the origin when using Azure CDN from Akamai is not supported. We are working on having support for SNI at the origin for Akamai. This will be enabled for all customers later this year. It is not possible to enable this with Akamai on an individual customer basis. The same limitation exists with SNI for Azure CDN from Verizon but with Verizon we do have the ability to enable SNI support on an individual basis. A support request would need to be opened via the Azure portal to have this enabled for an CDN endpoint using Verizon.

    If you need to use Akamai and can't wait until later this year when this is supported, are you able to turn off SNI binding on your origin?

    Monday, September 19, 2016 7:44 PM