0

Question

  1. Is there a specific reason why API Gateway requires the HTTP/S client to support SNI?
  2. Which AWS document clearly states the SNI requirement?

About Question 2

I believe SNI is an extension to TLS and TLS version 1.2 does not require to support SNI as far as I looked into RFC. TLS 1.3 requires it as mandatory but it looks AWS API Gateway has not adopted 1.3 yet as per the AWS document Supported SSL/TLS Protocols and Ciphers for Regional, Private, and WebSocket API Endpoints in API Gateway.

Hence, I suppose enforcing SNI, if AWS API Gateway actually does so, seems to be AWS specific requirement or limitation to be clearly noted, but so far I could not find the AWS documentation stating as such.

Hence I believe there should be an AWS documentation which states below, but please correct if wrong.

  • HTTP/S client to use API gateway must support SNI
  • For SNI unsupported HTTP/S client, use CloudFront (or other ways if available) and do not forward HOST header.

References

API Gateway requires a https connection with a client that support server name indicator (SNI)

You can indeed put CF dist in front of APIG, the trick is to force HTTPS only "Viewer Protocol Policy" AND to NOT forward the HOST header because APIG needs SNI.

Community
  • 1
  • 1
mon
  • 18,789
  • 22
  • 112
  • 205

1 Answers1

2

As far as I know SNI is not required for the API Gateway, this is a configuration option, but not a requirement.

The documentation I once used to understand a similar scenario clearly states that SNI is an option, but a dedicated IP address can be used to support users that can't use a modern TLS client (browser) which support SNI.

Server Name Indication (SNI) is one way to associate a request with a domain. Another way is to use a dedicated IP address. If you have users who can't upgrade to a browser or client released after 2010, you can use a dedicated IP address to serve HTTPS requests.

Per your question I will assume your API Gateway is configured to use SNI with CloudFront, since as also described in the following API Gateway documentation:

API Gateway supports edge-optimized custom domain names by leveraging Server Name Indication (SNI) on the CloudFront distribution.

Filipe dos Santos
  • 287
  • 1
  • 5
  • 13