ssl/non-ssl

Igor Sysoev is at rambler-co.ru
Fri Jun 20 20:51:54 MSD 2008


On Fri, Jun 20, 2008 at 05:28:06PM +0100, Ed W wrote:

> Igor Sysoev wrote:
> >On Fri, Jun 20, 2008 at 10:59:23AM -0400, jeff emminger wrote:
> >
> >  
> >>>http://marc.info/?l=nginx&m=120992171505688
> >>>
> >>>      
> >>are you saying it's not possible? 
> >>    
> >
> >Yes, until SNI will be common.
> >
> 
> I'm just going some testing right now - however, I reckon that SNI *is* 
> commonly supported now.  I would guess that penetration of FF2+ IE7 
> (vista) is >50% on my sites and growing.

>50% does not mean 99%. For example, in Russian part of Internet
IE6 still does 34% requests and XP does 82%:

http://www.liveinternet.ru/stat/ru/browsers.html
http://www.liveinternet.ru/stat/ru/oses.html

> Sure that's not enough to 
> gamble a whole business strategy on, but that's plenty enough support to 
> start supporting in my opinion (hey how many people are primarily 
> supporting only FF on their sites and paying only lipservice to IE 
> anyway...)

nginx supports SNI. You only have to build/install OpenSSL with SNI support
and rebuild nginx against it.

> Also it seems that using subjectAltName on the certificate is another 
> route for sites where you have a known and reasonably fixed number of 
> domain names (not sure how many CAs will sign these though?)

Yes, there are options like wildcard certificates and subjectAltName,
but they require special handling and planning. There are still
no easy way to use name-based SSL virtual hosts.


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list