Azure CDN from Verizon - enforcement of strict SNI connections
Posted on Monday, September 30, 2019
Beginning October 15, 2019, Azure CDN from Verizon will be enforcing strict SNI connections. Server Name Indication (SNI) is a Transport Layer Security (TLS) extension that allows a client to indicate which hostname it is attempting to connect to at the start of the TLS handshake. This allows a server to host multiple certificates on the same IP address and allows multiple secure (HTTPS) websites to be served by the same IP address with different TLS certificates.
Once the non-SNI support has been deprecated, clients that attempt to establish TLS connection to Azure CDN from Verizon without SNI will receive a certificate error with a mismatched hostname. For example, Chrome will display the following error message: "Your connection is not private -- NET::ERR_CERT_COMMON_NAME_INVALID".
We expect the impact to be minimal as SNI has been a standard since the introduction of TLS 1.1 in 2006 and clients that support TLS 1.1 should support SNI. If you would like to request to opt-out of this change for compatibility reasons, please open an Azure support ticket including the hostname requiring non-SNI support and we will evaluate the request.