Imperva Cyber Community

Hi everyone - 

Time for #ImpervaInsights ! Our Customer Success team gets many frequently asked questions, including this one below:

We are using our custom certificate and Incapsula certificate, however we are unsure of which certificate will be presented. 

What do our product experts have to say? 

The preferred certificate will be the custom certificate. The Incapsula/Cloud WAF certificate will only be presented to the non-SNI clients. 


What further questions do you have on certificates? 


#AllImperva

------------------------------
Christopher Detzel
Community Manager
Imperva
Dallas TX
------------------------------

When using Imperva generated certificate and also the custom certificate then...

First, let's understand what is SNI client and NON-SNI client

SNI stands for Server Name Indication (as part of the TLS extensions)
This allows a server to present multiple certificates on the same IP address.

SNI Clients:
The client that supports TLS SNI can indicate the name of the server to which the client is attempting to connect during the SSL handshake process,
The server that supports the TLS SNI can use this information to select the appropriate SSL certificate to return to the client in the ServerHello
during the SSL Handshake.

NON-SNI:
The client that NOT supports TLS SNI cannot indicate the server, to which the client is attempting to connect during the SSL handshake process,
As a result, the client using the standard TLS protocol, the server might send the wrong certificate to the client
Because it does not yet know which certificate the client is looking for.

If the client using both certificates then,

scenarios:
SNI client - the Custom certificate will be presented.
NON-SNI client - Imperva certificate will be presented


Also, we have a mechanism called "SSL Pooling"
SSL pooling works on our proxies and cannot be disabled or removed, This is valid for both Imperva and custom certificates.
Imperva stores certificates in SSL POOL and will always prefer to serve the custom certificates that include a SAN
That corresponds to the domain in question.

By default, when the site doesn't have a Custom Certificate installed we will serve the Imperva generated certificate,
Unless the proxy finds another certificate in its Custom Certificates pool that includes a SAN that corresponds to the domain in question.

------------------------------
Norbert Libor
------------------------------

Original Message:
Sent: 10-23-2019 15:27
From: Christopher Detzel
Subject: ⭐Imperva Insights: Custom Certificate vs. Incapsula Certificate

Hi everyone - 

Time for #ImpervaInsights ! Our Customer Success team gets many frequently asked questions, including this one below:

We are using our custom certificate and Incapsula certificate, however we are unsure of which certificate will be presented. 

What do our product experts have to say? 

The preferred certificate will be the custom certificate. The Incapsula/Cloud WAF certificate will only be presented to the non-SNI clients. 


What further questions do you have on certificates? 


#AllImperva

------------------------------
Christopher Detzel
Community Manager
Imperva
Dallas TX
------------------------------

Hello Norbert. According to your answer, you may help me with this situation:


------------------------------
victor pinzon
------------------------------

Original Message:
Sent: 11-04-2019 15:40
From: Norbert Libor
Subject: ⭐Imperva Insights: Custom Certificate vs. Incapsula Certificate

When using Imperva generated certificate and also the custom certificate then...

First, let's understand what is SNI client and NON-SNI client

SNI stands for Server Name Indication (as part of the TLS extensions)
This allows a server to present multiple certificates on the same IP address.

SNI Clients:
The client that supports TLS SNI can indicate the name of the server to which the client is attempting to connect during the SSL handshake process,
The server that supports the TLS SNI can use this information to select the appropriate SSL certificate to return to the client in the ServerHello
during the SSL Handshake.

NON-SNI:
The client that NOT supports TLS SNI cannot indicate the server, to which the client is attempting to connect during the SSL handshake process,
As a result, the client using the standard TLS protocol, the server might send the wrong certificate to the client
Because it does not yet know which certificate the client is looking for.

If the client using both certificates then,

scenarios:
SNI client - the Custom certificate will be presented.
NON-SNI client - Imperva certificate will be presented


Also, we have a mechanism called "SSL Pooling"
SSL pooling works on our proxies and cannot be disabled or removed, This is valid for both Imperva and custom certificates.
Imperva stores certificates in SSL POOL and will always prefer to serve the custom certificates that include a SAN
That corresponds to the domain in question.

By default, when the site doesn't have a Custom Certificate installed we will serve the Imperva generated certificate,
Unless the proxy finds another certificate in its Custom Certificates pool that includes a SAN that corresponds to the domain in question.

------------------------------
Norbert Libor

Original Message:
Sent: 10-23-2019 15:27
From: Christopher Detzel
Subject: ⭐Imperva Insights: Custom Certificate vs. Incapsula Certificate

Hi everyone - 

Time for #ImpervaInsights ! Our Customer Success team gets many frequently asked questions, including this one below:

We are using our custom certificate and Incapsula certificate, however we are unsure of which certificate will be presented. 

What do our product experts have to say? 

The preferred certificate will be the custom certificate. The Incapsula/Cloud WAF certificate will only be presented to the non-SNI clients. 


What further questions do you have on certificates? 


#AllImperva

------------------------------
Christopher Detzel
Community Manager
Imperva
Dallas TX
------------------------------