AW: AW: AW: SNI and certs.

steve steve at
Tue Nov 29 21:25:43 UTC 2016

On 11/30/2016 09:17 AM, Lukas Tribus wrote:
>>> Does it cause warnings in the webmaster tools? Who cares?
>>> Does it affect your ranking? I doubt it.
>>> Does it index pages or error pages from the default website and assign to
>>> your website? I doubt that even more.
>> Does it upset my customer? YES.
>> That's all the justification I need.
> That's fine, then why not just say that?
Why should I? I clearly defined the problem/misconfiguration. I don't 
really see the need to justify why I want to fix it.
> Instead you pretended to know about a huge problem with (a) crawler(s) that
> would probably have affected every third website. That would have been a huge
> deal, that everyone wanted to know about, if real.
No. I said this would affect anyone using a mixed http/https setup over 
SNI. I also said it was something I hadn't thought of, and as such was a 
cock up in my configuration.
> If you come on this mailing list claiming you can remotely crash every nginx
> instance, most likely people would like to clarify specifics and fix the problem,
> don't you think?
If I did make that claim, I'd describe exactly how I just crashed Of course I'd do that privately...
Interestingly, there are many posts on this subject, try googling them.
>> Feel free to disagree but I really did put up a request for suggestions
>> on how people solve this problem,  not to have a philosophical debate on
>> the matter.
> What I wanted to know is if there is a major bug in one of the crawlers, which
> is more or less what you suggested. Now we know its not, and that's great,
> because that means SEO is not fucked up for millions of websites out there
> in a very common configuration.
Well, you told me it doesn't happen... WTF?
I'll leave you to do your own research if you don't believe me. Ass-u-me.
> Besides, I did provide suggestions about the only way to handle this in nginx
> (return specific error codes or certificates from the default server block) and
> what would be ideal instead (aborting the TLS handshake like haproxy does
> with strict-sni enabled).
And what cert would you use in this default block that matches, so the 
crawler receives a meaningful response, rather than an incorrect cert ( 
which they don't like )?
I'm plenty old enough to realise I'll never know everything, and if my 
knowledge is deficient in this field, please show me where, or point me 
to where I can research further.

> lukas
Time to stop feeding the troll I think.


Steve Holdoway BSc(Hons) MIITP
Skype: sholdowa

More information about the nginx mailing list