Status of TLS/SNI in 04/2008

April 22nd, 2008

Since I share a VPS with Georg I’m interested in SNI to be able to drive various HTTPS sites on the same machine with only one IP.

If you use only HTTP, the Apache virtual host feature will do the magic already for many years. But with HTTPS you are out of luck until now. The problem is the TLS handshake, which does not have something like the Host header in HTTP. Because the HTTP stream is covered by encryption until the TLS handshake is done, Apache has no chance to read the Host field to choose the right virtual host from the beginning on. So you are out of luck to deliver the right certificate to the client. Certificate hostname mismatches will arise in the users browser, which is not desirable.

As a solution for this secure virtual hosting problem the RFC 4366 defines SNI in section 3.1. The first RFC where SNI is mentioned is RFC 3546 which was issued in mid 2003, but until today in early 2008 Apache does not support SNI per default. It seems to be a chicken and egg problem as described in SNI doesn’t work in practice. On the one side the major web server Apache does not support it and on the other side the major browsers were slow to jump on. Opera 8 was the first in 2005, but important public browsers like IE are still lacking support. Also major sites don’t bother because they have enough IP’s.

Browser Compatibility Table

I compiled a browser compatibility table to document the status of TLS/SNI in April 2008. If you look at the table, the problem is located at WinXP and Webkit. While I assume that Webkit browsers will match up on OSX and Linux, I’m not sure about WinXP. On WinXP the lack of support (at least for IE) is in the OS itself. IE7 running under Vista has support for SNI, but under WinXP not.

WinXP Vista Linux OSX
IE 6[1] no N/A
IE 7[2] no yes N/A
IE 8[3] no yes N/A
Firefox 2[4] yes
Safari 3[5] no don’t know N/A don’t know
Opera 8+ yes
Konqueror 3.5[6] N/A no N/A
Konqueror 4[7] N/A unsure N/A
[1]
Tested as not working with IE 6.0.2900.2180 on WinXP SP2 without any updates.
[2]
According IEBlog: Upcoming HTTPS Improvements in Internet Explorer 7 Beta 2. Tested as not working with IE 7.0.5730.13 on WinXP SP2 with all updates until 04/22/2008.
[3]
Tested as not working with IE 8.0.6001.17184 beta on WinXP SP2 with all updates until 04/22/2008.
[4]
According to bug #116169. Tested as working with Firefox 2.0.0.12 on Ubuntu 7.10 with all updates.
[5]
Tested as not working with Safari 3.1.1 (525.18) on WinXP SP2 with all updates until 04/22/2008.
[6]
Tested as not working with Konqueror 3.5.5-ubuntu3 on Ubuntu 6.10 with no updates (plain DVD). I only installed Konqueror from edgy main.
[7]
More info at bug #122433.

At the End

I think its not feasible to use SNI today. Its best to look at it again in one or two years. I found another solution for my HTTPS problem. I use one certificate for the whole server, which has multiple domain names in it. Its possible through multiple SubjectAltNames in the certificate. CAcert issues such certificates. All browsers accept certificates where the domain name matches one of the DNS SubjectAltNames.

Resources

10 Comments

  1. 1. March 15th, 2010 by 306570 | permalink

    925595…

    < a href=”http://ya.ru”> < / a >А вы откуда? Знакомая манера написания :)…

  2. 2. July 8th, 2011 by Alexander1 | permalink

    < b >< a href=”http://box.net/view_shared/vmd27csrh9?ml=buy-aloe-vera-gel buy@aloe.vera.gel” >…< /a >< /b >< /blockquote >…

    Need cheap generic VIAGRA?…

  3. 3. July 16th, 2011 by Alexander6 | permalink

    < b >< a href=”http://www.trustedpillspot.com/?ml=buy-generic-VIAGRA buy@generic.VIAGRA” >…< /a >< /b >< /blockquote >…

    Need cheap generic VIAGRA?…

  4. 4. July 23rd, 2012 by ARNOLD | permalink

    < blockquote >< b >< a href=”http://trustedpillspot.com/buy-lotemax-online.html” >Buy Lotemax Online< /a >< /b >< /blockquote >…

    Check Good Meds Now!…

  5. 5. July 23rd, 2012 by CHRISTIAN | permalink

    < blockquote >< b >< a href=”http://trustedpillspot.com/buy-arcoxia-online.html? Buy@Arcoxia.Online” >..< /a >< /b >< /blockquote >…

    Purchase Quality Pharmacy Today!…

  6. 6. July 23rd, 2012 by DENNIS | permalink

    < blockquote >< b >< a href=”http://trustedpillspot.com/buy-arcoxia-online.html? Buy@Arcoxia.Online” >.< /a >< /b >< /blockquote >…

    Purchase Cheap Meds Now!…

  7. 7. July 23rd, 2012 by CARLTON | permalink

    < blockquote >< b >< a href=”http://trustedpillspot.com/buy-lotemax-online.html” >Buy Lotemax Online< /a >< /b >< /blockquote >…

    Buy Unique Generic.Drugs Today!…

  8. 8. December 22nd, 2013 by roland | permalink

    < a href = “http://google.com/?p=41&lol= toe@arco.louder“>.< / a >…

    спс!…

  9. 9. March 12th, 2014 by Gilbert | permalink

    < a href = “http://google.com/?p=4&lol= crowder@attrition.cashed“>.< / a >…

    благодарствую!…

  10. 10. July 31st, 2014 by melvin | permalink

    < a href = “http://google.com/?p=9&lol= traditionalism@generals.frustrations“>.< / a >…

    tnx for info!!…

Post a Comment


Line breaks are converted automatically. You may use Markdown syntax if plain text is not enough.