Index ¦ Archives ¦ Atom

Server Name Indication being held back

Ever since we've had websites available over HTTPS (HTTP over SSL), there has always been the problem that the host always requires an IP per site as each site needs a new certificate. With SSL the server couldn't just switch certificate according to the site, as SSL is negotiated before any HTTP request is sent.

Server Name Indication is a TLS extension which sends the hostname during the TLS negotiation, which means the server can switch to the appropriate certificate – allowing a web host to potentially have as many HTTPS sites as they want on a single IP address. It's a great solution, however the only problem is that any chance of it's currently being held back.

Firefox 2.0, Opera 8.0 and even Google Chrome supports SNI, however Safari on OS X currently doesn't support it and Internet Explorer 7 only supports it on Windows Vista and not Windows XP. So SNI is being held back due to a lack of support from IE and Safari, these are two fairly significant browsers which many people use – admins can't ignore either of them.

SNI is only just becoming available in Linux distributions with Apache 2.2.8 and the latest versions of OpenSSL, so it isn't available to everyone just yet. However being unable to use it for many years due to the fact that any Internet Explorer user on Windows XP won't be able to view any SNI sites is going to be a huge hinderance towards adopting it.

© Alex Tomkins.