1

We're a multi-tenant service and terminate our SSL at our load balancers (HAProxy + Apache for SSL termination), this has caused growing pains due to dedicated IP requirements. But times have changed and we're considering moving to SNI so I was hoping for educated opinions for 2015 about adopting it as our standard.

I'm going to outline our assumptions:

  • SSL is dead (long live TLS) due to the POODLE attack,
  • TLS has SNI built in
  • IE6 / Windows XP ( < sp3) are dead for many reasons, not the least of which is XP going EOL
  • We've terminated support for IE7 and essentially IE8 at this point

Am I correct in assuming that SNI is essentially globally supported now?

... and ...

Are there scenarios that I should consider beyond this that would affect support?

... and finally ...

Now that HAProxy 1.5 supports SSL Termination directly, are there any caveats in your experience directly relating to SNI that will affect our ability to roll out this service?

oucil
  • 445
  • 3
  • 16

2 Answers2

2

Am I correct in assuming that SNI is essentially globally supported now?

If you consider browsers - yes.

If you have to deal with other kind of applications - not really:

  • Python 3 has support, but Python 2.7. got only support with the just released version 2.7.9
  • Android has limited support. The HTTPUrlConnection had support for a long time, but the SDK contained an old version of Apache HTTPClient for the more advanced stuff and this version did not support SNI. I don't know if the situation changed with the latest SDK.
  • Java got support only with JDK 1.7
  • There are still some crawlers for search engines out there which don't support SNI. According to https://www.mnot.net/blog/2014/05/09/if_you_can_read_this_youre_sniing this contained in 05/2014 Bing, Yahoo, Baidu and others.
Steffen Ullrich
  • 12,227
  • 24
  • 37
  • Excellent point Steffen, thanks for bringing it up. Great link as well, good experiments and a good indicator. Surprised that Py only just received it, that's certainly important, same goes for Android support. As for Java, I'm a little less concerned with forcing modern client use for connectivity in that case. WRT the last point, I'd be interested to know whether many of those bots are still not supporting it, post-POODLE that is. Many of us had to upgrade out clients/bots/etc when we lost SSL in the fall. – oucil Feb 27 '15 at 21:07
1

Am I correct in assuming that SNI is essentially globally supported now?

Essentially, yes - though you'll likely run into some edge case users who will complain about brokenness if SNI is required. If you have the capability to tell those people "use a browser from this decade, please" for your service, then you're set.

Are there scenarios that I should consider beyond this that would affect support?

Browser/client OS support are the big ones, though I can imagine some other fun problems with corporate networks using SSL terminating proxies that don't support passing the SNI part of the TLS handshake, which would also break SNI.

Now that HAProxy 1.5 supports SSL Termination directly, are there any caveats in your experience directly relating to SNI that will affect our ability to roll out this service?

I can't speak directly to caveats with HAProxy - we're using its SSL termination but not SNI on top of it.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • Thanks Shane! WRT Browser/client OS support, the only one I was aware of as a concern was XP and and version of IE for it, I've done some searching around but the most comprehensive list seems to be here: https://www.digicert.com/ssl-support/apache-secure-multiple-sites-sni.htm and this http://blog.layershift.com/sni-ssl-production-ready/ also indicates pretty good backwards support. Are there any specifics you could mention I should be woried about? – oucil Feb 27 '15 at 19:27