Jeffrey,
If I read OP's information right, the test they were seeing was that it says it needs SNI support and a number of browsers showed "No SNI support". I know from testing OpenResty supports SNI. That isn't the issue here I believe.
Sent from my Galaxy
-------- Original message --------
From: Jeffrey Walton <noloader@gmail.com>
Date: 3/15/24 14:24 (GMT-05:00)
To: nginx@nginx.org
Cc: Thomas Ward <teward@thomas-ward.net>
Subject: Re: No SNI support on multisite installation
On Fri, Mar 15, 2024 at 2:05 PM Thomas Ward via nginx <nginx@nginx.org> wrote:
>
> If you only have one IP, then you cannot fix this. SNI is what determines which certificate to serve for the request. The only solution would be individual IPs for each domain, thus not needing SNI to get the correct cert for each domain.
The real fix needs to be made in openrusty. SNI is a standard
extension. its about time openrusty properly support it.
Another way to fix it is, find a CA to issue a certificate that
includes all the domains in the Subject Alt Name. So the end entity
certificate issued would have, say, 10 or 12 different domains so the
same cert can be used for all the connections.
Google serves a cert like that for 'google.com', but they own all the
web properties.
$ openssl s_client -connect google.com:443 -servername google.com |
openssl x509 -text -noout
...
DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS
:*.origin-test.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DN
S:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in
, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.
au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.
com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr,
DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google
.pt, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic
-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:
*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.c
n, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:r
ecaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS
:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.amppro
ject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:goo
gleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:
*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleo
ptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubl
eclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:dou
bleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick
.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-
cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*
.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-c
n.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safef
rame.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement
-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com,
DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googlefligh
ts-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:googlesandbox-cn.com, DNS:*
.googlesandbox-cn.com, DNS:*.safenup.googlesandbox-cn.com, DNS:*.gstatic.com, DN
S:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, D
NS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg
.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS
:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.
com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.g
ooglecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.co
m, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:youtubeeducation.com, D
NS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be
, DNS:*.yt.be, DNS:android.clients.google.com, DNS:developer.android.google.cn,
DNS:developers.android.google.cn, DNS:source.android.google.cn, DNS:developer.ch
rome.google.cn, DNS:web.developers.google.cn
...
Jeff
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx