Geek Answers Handbook

Testing if a URL requires SNI

I have a site that is served via HTTPS, but which iTunes cannot find. My suspicion is that the iTunes back-up server is Java 6 and Java 6 does not support SNI. The SSL labs seem to be hinting that SNI is required on my site (see this report and SNI search), but I cannot understand why. I misunderstood multi-domain certificates? I have several sites running on the same server, but I realized that as long as all the URLs were listed as alternative object names in the certificate, everything would be fine.

Does anyone know a good way to check if the URL requires SNI support on the client to access it? I do not have Windows XP / Java 6 installed to play with sadness.

+4
source share
3 answers

Nginx in general, and your site in particular, accepts, but does not require SNI. To verify this, you cannot easily use Oracle Java out of the box because it cacerts does not include DST Root CA X3 which root certificate used is DST Root CA X3 strong> (originally) on the "Let encrypt" that issued your site certificate; this is true for all versions of Oracle Java prior to the current (8u74). Windows (hence IE and Chrome on Windows) and Firefox have this root certificate; I can not say for other OS or browsers.

To fix this, you can easily test:

wirehark , , ClientHello SNI, HTTP-.

, SNI, "monitor".

+2

SSLLabs SNI . , SNI , , . , , , SNI.

Windows XP/Java 6, .

, , , , , . openssl:

 # without SNI
 $ openssl s_client -connect host:port 

 # use SNI
 $ openssl s_client -connect host:port -servername host

openssl s_client. , , SNI SSL-, SNI, SSL-.

+6

, SNI:

openssl s_client -servername alice.sni.velox.ch -tlsextdebug -msg \
    -connect alice.sni.velox.ch:443 2>/dev/null | grep "server name"

, , SNI.

TLS " " (id = 0), len = 0

Above is a summary of the response to serverfault .

+3
source

More articles:


All Articles