This article provides instructions for validating that Server Name Indication (SNI) is being correctly transmitted during the TLS handshake. This is critical for ensuring proper traffic routing and certificate matching for custom domains.
- Custom URL Domains
- Server Name Indication (SNI)
- Network Infrastructure
- TLS/SSL Handshake Validation
- Okta Classic Engine
- Okta Identity Engine (OIE)
To verify that the SNI value is being sent correctly in the outbound traffic, validate the TLS ClientHello using one of the following options:
NOTE: SNI is a TLS extension, not an HTTP header, and is sent before the HTTP request is established.
Option 1: OpenSSL Validation
Run the following command from a client system generating the traffic:
Bash:
openssl s_client -connect <example.custom.domain>:443 -servername <example.custom.domain> -tlsextdebugExpected Result: The output will reference the TLS server name extension, confirming SNI is included in the ClientHello.
Option 2: Packet Capture (Wireshark)
Perform a packet capture during a new connection attempt and inspect the ClientHello packet.
- Filter:
tls.handshake.extensions_server_name - Path:
Handshake Protocol>Client Hello>Extensions>server_name - Expected Value: The specific custom domain (for example,
auth.securebanklogin.com).
NOTE: If any issues are encountered or further assistance is required with these validation steps, please contact Okta Support.
