Posted on

SSL, IPs, and SNI technology

Previous version of TLS, which we used with all our servers, didn’t recognize HTTPS requests that contained domain name. It only worked correctly only if an IP address was “asked”. Thus it was a requirement to have a dedicated IP for each domain that used a secured connection.

    Now, with the cPanel version 11.38 and higher, we are able to use SNI.

Server Name Indication (SNI) is an extension to the TLS protocol that indicates what hostname the client is attempting to connect.

This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS).

  However, unfortunately there are a few issues that might appear:

SNI is incompatible with some old versions of the web browsers.*

  • SNI does not work on Windows XP + any version Internet Explorer (6,7,8,9)
  • Internet Explorer 6 or earlier
  • Safari on Windows XP
  • BlackBerry Browser
  • Windows Mobile up to 6.5
  • Nokia Browser for Symbian at least on Series60
  • Opera Mobile for Symbian at least on Series60

 

Web site will still be available via HTTPS, but a certificate mismatch error will appear.

 

Ways to resolve the issue: Use different browser to access the web site. Also if the visitor agrees to use another certificate with an incompatible browser, the requested site will open up normally via HTTPS, but different certificate will be used to establish secured connection. On the contrary, all the visitors with incompatible browsers will see the warning message.

 

If you try to gain HTTPS access using a server IP address, issues might appear.

Using the IP address, the client will receive our “default” certificate which is set for each IP on the server (e.g. serverX.web-hosting.com) and reach the first site hosted on this IP, if an HTTPS request does not have the name of the site specified.

Way to resolve the issue: order a dedicated IP address and assign it to this domain.
If SNI works for you, we will install SSL without ordering a dedicated IP address.

*The list of browsers that support SNI:

  • Internet Explorer 7 or later, on Windows Vista or higher
  • Mozilla Firefox 2.0 or later
  • Opera 8.0 (2005) or later (the TLS 1.1 protocol must be enabled)
  • Opera Mobile at least version 10.1 beta on Android
  • Google Chrome (Vista or higher, XP on Chrome 6 or newer, OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer)
  • Safari 3.0 or later (Mac OS X 10.5.6 or higher and Windows Vista or higher)
  • Konqueror/KDE 4.7 or later
  • MobileSafari in Apple iOS 4.0 or later
  • Android default browser on Honeycomb (v3.x) or newer
  • Windows Phone 7
  • MicroB on Maemo
  • Odyssey on MorphO