TLS/SSL Certificates Connected Without a Specified SNI Ingrid TLS/SSL Certificate connections without a Server Name Indication (SNI) are rejected since the TLS handshake failed and it resulted in an untrustworthy connection. Learn how TLS/SSL Certificates data is observed. To prevent having to use untrustworthy certificates in a situation where a client connects without specifying an SNI, please consider the following options: Recommended. Configure services in a way that aborts the TLS handshake before presenting a certificate. This is what Cloudflare currently does on its systems (e.g., connecting to a Cloudflare IP address without specifying a SNI results in a TLS Error 40 - No certificates are presented). This option may not be easily implemented in some software applications. If there is a business requirement to allow non-SNI TLS connections, ensure the network service displays a valid signed TLS certificate. Since the connection is being made directly to an IP address (without an SNI specified), this would have to be a certificate that contains the IP address in its Subject Alternative Name (SAN). Since issuing certificates for IP addresses is an uncommon practice, there’s no penalty for an organization that shows a valid and trustworthy certificate, even if its Common Name or Subject Alternative Names do not contain its IP address. If you are an application owner, ensure all TLS certificates are trustworthy. Present a valid and trusted certificate as an alternative. Refer to the following resources for how to specify a default certificate for TLS connections that do not specify an SNI: Kubernetes Ingress Traefik Proxy January 4, 2023: Published. Related articles How is the TLS/SSL Certificates Risk Vector Observed? TLS/SSL Certificate Best Practices TLS/SSL Finding Remediation & Remediation Verification What is a Finding Lifetime? TLS/SSL Configuration Finding Considerations Feedback 0 comments Please sign in to leave a comment.