We're a multi-tenant service and terminate our SSL at our load balancers (HAProxy + Apache for SSL termination), this has caused growing pains due to dedicated IP requirements. But times have changed and we're considering moving to SNI so I was hoping for educated opinions for 2015 about adopting it as our standard.
I'm going to outline our assumptions:
- SSL is dead (long live TLS) due to the POODLE attack,
- TLS has SNI built in
- IE6 / Windows XP ( < sp3) are dead for many reasons, not the least of which is XP going EOL
- We've terminated support for IE7 and essentially IE8 at this point
Am I correct in assuming that SNI is essentially globally supported now?
... and ...
Are there scenarios that I should consider beyond this that would affect support?
... and finally ...
Now that HAProxy 1.5 supports SSL Termination directly, are there any caveats in your experience directly relating to SNI that will affect our ability to roll out this service?