The display ssl sni-cache command displays the SNI cache list of the SSL-encrypted traffic detection policy.
| Parameter | Description | Value |
|---|---|---|
| ip ip-address | Specifies the SNI cache list of a specified IP address. | The IP address must be added to the SNI cache list. |
| sni server-name | Specifies the SNI cache list of a specified server SNI. | The server SNI must be added to the SNI cache list. |
| all | Indicates the SNI cache list of all SSL-encrypted traffic detection policies. | - |
| all-systems | Indicates the SNI cache list of all systems. | - |
During the SSL handshake, the FW saves the mapping between the SNI and the CN in the SNI cache list if the SNI field in the client certificate is inconsistent with the SAN/CN field in the server certificate. If the SNI field in the client certificate is inconsistent with the SAN/CN field in the server certificate, the FW does not establish the SSL connection with the server. In addition, after the FW decrypts the SSL-encrypted traffic, if the abstracted URL address matches the SAN/CN in the server certificate in the URL category of the SSL-encrypted traffic detection policy, the FWuses the SAN/CN to match the corresponding policy and performs the relevant operations.
# Display all SNI cache lists.
<sysname> display ssl sni-cache all Total SSL SNI-cache(s): 1 ----------------------------------------- IP PORT SNI Common Name 10.1.1.1 443 www.test.com www.example.com
Item |
Description |
|---|---|
Total SSL SNI-cache(s) |
Total number of SNI caches |
IP |
IP address of the server |
PORT |
IP-based port of the server |
SNI |
SNI information of the client |
Common Name |
SAN/CN of the server certificate |