No SNI support on multisite installation

Thomas Ward teward at thomas-ward.net
Fri Mar 15 18:37:11 UTC 2024 

Jeffrey,

If I read OP's information right, the test they were seeing was that it says it needs SNI support and a number of browsers showed "No SNI support".  I know from testing OpenResty supports SNI.  That isn't the issue here I believe.



Sent from my Galaxy



-------- Original message --------
From: Jeffrey Walton <noloader at gmail.com>
Date: 3/15/24 14:24 (GMT-05:00)
To: nginx at nginx.org
Cc: Thomas Ward <teward at thomas-ward.net>
Subject: Re: No SNI support on multisite installation

On Fri, Mar 15, 2024 at 2:05 PM Thomas Ward via nginx <nginx at nginx.org> wrote:
>
> If you only have one IP, then you cannot fix this.  SNI is what determines which certificate to serve for the request.  The only solution would be individual IPs for each domain, thus not needing SNI to get the correct cert for each domain.

The real fix needs to be made in openrusty. SNI is a standard
extension. its about time openrusty properly support it.

Another way to fix it is, find a CA to issue a certificate that
includes all the domains in the Subject Alt Name. So the end entity
certificate issued would have, say, 10 or 12 different domains so the
same cert can be used for all the connections.

Google serves a cert like that for 'google.com', but they own all the
web properties.

$ openssl s_client -connect google.com:443 -servername google.com |
openssl x509 -text -noout

...
               DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS
:*.origin-test.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DN
S:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in
, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.
au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.
com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr,
DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google
.pt, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic
-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:
*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.c
n, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:r
ecaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS
:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.amppro
ject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:goo
gleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:
*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleo
ptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubl
eclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:dou
bleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick
.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-
cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*
.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-c
n.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safef
rame.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement
-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com,
DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googlefligh
ts-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:googlesandbox-cn.com, DNS:*
.googlesandbox-cn.com, DNS:*.safenup.googlesandbox-cn.com, DNS:*.gstatic.com, DN
S:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, D
NS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg
.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS
:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.
com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.g
ooglecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.co
m, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:youtubeeducation.com, D
NS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be
, DNS:*.yt.be, DNS:android.clients.google.com, DNS:developer.android.google.cn,
DNS:developers.android.google.cn, DNS:source.android.google.cn, DNS:developer.ch
rome.google.cn, DNS:web.developers.google.cn
...

Jeff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240315/7c5347b4/attachment-0001.htm>

More information about the nginx mailing list