Problem

The API Gateway does not send the SNI extension even when the "Send Server Name Indication TLS extension to server" option is selected in a remote host or under General Settings and connections to a sites like Amazon CloudFront, which require SNI, fail.

Resolution

Update: as of 7.7.Sept2020 and later versions, the hostname and SNI settings are considered independently. (RDAPI-20023)

Original solution: It is necessary to use the "Verify server's certificate matches requested hostname" option as well as the SNI option when you create the remote host or enable these options in General Settings. The port on the remote host also has to match the port you are connecting to the server with, as well. Port 443 is the default port for SSL.

The following is an example remote host that will send SNI. Only the last two check boxes are important, the other three can have any value.