enableSNI property
Specify whether you want Amazon Route 53 to send the value of
FullyQualifiedDomainName to the endpoint in the
client_hello message during TLS negotiation. This
allows the endpoint to respond to HTTPS health check requests
with the applicable SSL/TLS certificate.
Some endpoints require that HTTPS requests include the host name in the
client_hello message. If you don't enable SNI, the status of
the health check will be SSL alert handshake_failure. A health
check can also have that status for other reasons. If SNI is enabled and
you're still getting the error, check the SSL/TLS configuration on your
endpoint and confirm that your certificate is valid.
The SSL/TLS certificate on your endpoint includes a domain name in the
Common Name field and possibly several more in the
Subject Alternative Names field. One of the domain names in the
certificate should match the value that you specify for
FullyQualifiedDomainName. If the endpoint responds to the
client_hello message with a certificate that does not include
the domain name that you specified in FullyQualifiedDomainName,
a health checker will retry the handshake. In the second attempt, the health
checker will omit FullyQualifiedDomainName from the
client_hello message.
Implementation
final bool? enableSNI;