Kim asks:
You wrote an article which does a great job of explaining a number of things. My only question (comments appear to be closed so I could not post there) is the SNI – do you find that there are many people using browsers that are old enough that the SNI creates a problem? I have looked over the list of incompatibles and it does not seem to be that much of a risk, but I thought you might have more concrete information since you’ve been using the setup.
This relates to how I set up my SSL certificates, which is to use Server Name Indications and have multiple certs on one server with one IP. And the question is “Do we care about the old browsers?”
Let me quote my coworker.
IE8 is EOL, XP is EOL. We can’t support things forever.
XP makes up most of the sites that have issue with SNI so I’ve only found 0.006% of my visitors impacted.
Yes, I did that math properly. I checked it a couple times.
No. I’m not worried about SNI and I don’t care. We can’t support old things forever.
Comments
3 responses to “Mailbag: SNI Incompatibility?”
I do worry a little bit about compatibility since my niche involves some people using these burial technologies. But I agree – you can’t support everything.
Just this week however, we had an instance where folks from a large educational institution were blocked from one of our sites that uses an SSL with SNI. Turns out Palo Alto’s firewall had mistakenly flag our site as malicious. I think this was because the firewall was looking at the SSL for the IP address (which was the host’s server SSL), and that didn’t match the domain URL. In other words, the firewall wasn’t configured to properly recognize SNI. Do you see that happening much?
@Bet Hannon: I have to watch Siri every minute – that should be: “very old”, not “burial”.
@Bet Hannon: Not yet, but the ip for ssl and the domain here is the same. Since this is a multisite, that isn’t yet my fear.