Welcome! Log In Create A New Profile

Advanced

RE: No SNI support on multisite installation

Thomas Ward via nginx
March 15, 2024 02:38PM
Jeffrey,

If I read OP's information right, the test they were seeing was that it says it needs SNI support and a number of browsers showed "No SNI support". I know from testing OpenResty supports SNI. That isn't the issue here I believe.



Sent from my Galaxy



-------- Original message --------
From: Jeffrey Walton <noloader@gmail.com>
Date: 3/15/24 14:24 (GMT-05:00)
To: nginx@nginx.org
Cc: Thomas Ward <teward@thomas-ward.net>
Subject: Re: No SNI support on multisite installation

On Fri, Mar 15, 2024 at 2:05 PM Thomas Ward via nginx <nginx@nginx.org> wrote:
>
> If you only have one IP, then you cannot fix this. SNI is what determines which certificate to serve for the request. The only solution would be individual IPs for each domain, thus not needing SNI to get the correct cert for each domain.

The real fix needs to be made in openrusty. SNI is a standard
extension. its about time openrusty properly support it.

Another way to fix it is, find a CA to issue a certificate that
includes all the domains in the Subject Alt Name. So the end entity
certificate issued would have, say, 10 or 12 different domains so the
same cert can be used for all the connections.

Google serves a cert like that for 'google.com', but they own all the
web properties.

$ openssl s_client -connect google.com:443 -servername google.com |
openssl x509 -text -noout

...
DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS
:*.origin-test.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DN
S:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in
, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.
au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.
com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr,
DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google
.pt, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic
-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:
*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.c
n, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:r
ecaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS
:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.amppro
ject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:goo
gleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:
*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleo
ptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubl
eclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:dou
bleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick
.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-
cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*
.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-c
n.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safef
rame.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement
-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com,
DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googlefligh
ts-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:googlesandbox-cn.com, DNS:*
.googlesandbox-cn.com, DNS:*.safenup.googlesandbox-cn.com, DNS:*.gstatic.com, DN
S:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, D
NS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg
.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS
:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.
com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.g
ooglecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.co
m, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:youtubeeducation.com, D
NS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be
, DNS:*.yt.be, DNS:android.clients.google.com, DNS:developer.android.google.cn,
DNS:developers.android.google.cn, DNS:source.android.google.cn, DNS:developer.ch
rome.google.cn, DNS:web.developers.google.cn
...

Jeff
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

No SNI support on multisite installation

Saint Michael March 11, 2024 02:36AM

RE: No SNI support on multisite installation

Thomas Ward via nginx March 15, 2024 02:06PM

Re: No SNI support on multisite installation

noloader March 15, 2024 02:26PM

RE: No SNI support on multisite installation

Thomas Ward via nginx March 15, 2024 02:38PM

Re: No SNI support on multisite installation

noloader March 15, 2024 02:48PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 122
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready