This Time Self-Hosted
dark mode light mode Search

SNI Quest: how’s the support?

After yesterday’s incident my blog and all the other apps I’ve been hosting have moved to use SNI certificates (a downgrade to Class 1 from Class 2, but that’s okay).

SNI is still considered a partially experimental feature nowadays because Windows XP is unfortunately still a thing. Luckily for me, it doesn’t seem like I have many Windows XP users — and the few that are there are probably okay with using either Chrome, Firefox or Opera, all of which use their own implementation of SSL (two using NSS), that supports SNI just fine.

Internet Explorer uses the operating system level libraries, which are not capable of using SNI at all, even if you updated to IE8. With a bit of luck, this will also mean fewer spammers using real WinXP-based browsers will be able to post. I don’t hold my breath, but it’s still possible. A few spammers were kicked off by the HTTPS move after all, so who knows.

What turned out to be interesting is the support for dropping SNI-backed links into various web apps out there — the kind of test I’ve done many times before while testing my ModSecurity Rules. The results have been interesting. All the major websites, and RSS readers, seem to handle this pretty well, with two main exceptions.

LinkedIn has probably the worst HTTP client implementation I’ve seen on a serious web app. I already opened a ticket with them before because their fetcher does not use compressed answers. This is pretty bad, considering that non-compressed answers mean a multiple times increase, and since this is traffic upstream from your server, it means that you are paying for LinkedIn’s laziness.

Due to this, LinkedIn links to my blog were already showing a (wrong) 403 message (the actual error they would get is 406, but then they process is wrongly, and I don’t care much about that). With the new SNI certificate, the LinkedIn fetcher now can only report the hostname of my blog, and no log in Apache can be found about it, which makes me guess that they try to validate the connection’s certificate, and fail.

NewsBlur is interesting as well. At first it seemed to me like it was not supporting SNI, as the settings page for my blog’s feed showed “401 Bad URL” error messages — without any matching log in Apache, which meant that the SSL connection was not completed either. On the other hand, the feed is fetched. While Samuel at first said that he did not care enough to implement SNI support for just one customer, and that made me look for alternatives for half an hour, he’s been very helpful with debugging a bit around it. Turns out that the problem is only for real-page fetching, and I haven’t spent much more time than this working on it. If somebody wants to look at it I’m happy to point you to what’s going on.

Luckily, Python’s httplib does not verify the certificates, which means Planet Gentoo still works. I’ve not checked Planet Multimedia yet — but at least that one if it fails I can fix.

Comments 5
  1. My blog relies on SNI. Newsblur have been able to fetch my feed without problems. I launched my blog three weeks ago.The only clients I have found that have problems accessing my site(s) is poorly written “SEO analyzers” and similar online tools.

  2. Actually, I’ve always used SNI certificates because they’re given away from free by StartSSL. Conversely to cacert.org ones and at least until some time ago, there is no need to add CA certs to the browser. However, I see that bugs.g.o uses cacert.org and my browser is not complaining anymore. I guess that they added cacert.org to ca-certificates, maybe.

  3. I’ve been using wildcard certificates from StartSSL with Class 2 as some of my services were provided to customers running Windows XP. Now that’s no longer a concern for me, so I could stick with Class 1, but StartSSL is cheap enough and has a very good service so I’m sticking with them for the time being.CACert seems to be accepted by Chrome even on my corp laptop which is actually surprising. But Chrome on Android still fails with it so I’m not going to move to it just yet. But I got assurances while at LISA, so that’s going to be easier.

  4. I’ve been hearing a lot about using SNI with StartCom/StartSSL free (class1).. I made an attempt, but somehow the site complained that it didn’t support more then 1 alternative name. So.. is it limited to 2, or can I seriously do the following..- 8 different domains (with 1 as the main)- 1 domain with 30 subdomains- the others with just www as subdomain- all as SNI with the free StartCom/StartSSL classBecause, that’d be just awesome and I could be doing something wrong in that it’s failing 😉

  5. Class 1 certificates with StartSSL only support a single host plus domain name, the SNI setup I’m using uses a single cert per host.Class 2 is necessary to use wildcard domain, which is not free, but is relatively cheap and better supported than CAcert by mobile phones for instance.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.