https://wiki.freebsd.org/ certificate error
Simon L. B. Nielsen
simon at qxnitro.org
Sat Mar 9 14:48:26 UTC 2013
On 2 March 2013 07:48, Jeremy Chadwick <jdc at koitsu.org> wrote:
> (Please keep me CC'd as I'm not subscribed to -questions)
> (I'm CC'ing Simon Nielsen who maintains the FreeBSD webserver cluster, as
> this obviously needs to be looked at.)
> NOW BACK TO THE ACTUAL PROBLEM REPORTED --
> It appears that whoever maintains the FreeBSD webservers in the cluster
> **assumes** that the connecting client supports SNI. That assumption,
> as someone who ran a hosting organisation since 1993, is rude (some
> might say "bad", but I would say rude).
> Web browsers/clients that don't support SNI are screwed -- they'll
> receive a "certificate validation failure" error.
> Internet Explorer 6.x through 8.x -- newer is not available on Windows
> XP -- do not support SNI (this is even mentioned in the above Wikipedia
> page). They return the error "There is a problem with this website's
> security certificate" due to lack of SNI support.
> Let me be clear: THIS IS NOT THE FAULT (OR AGE) OF THE OS. THIS HAS TO
> DO WITH THE WEB BROWSER. Why?
> Because Firefox 19.0 on Windows XP works just fine, as it supports SNI.
AFAIR the problem is that some crypto library on Windows XP does not
support SNI. IE uses it, Firefox and others probably don't.
> So how do you solve this problem for "legacy" clients? Simple:
> By dedicating an IP address to the SSL-based virtualhost/webserver (i.e.
> one IP address per SSL-based virtual host), and do away with name-based
> vhosting for SSL. That's the only way.
I agree that SNI is suboptimal, unfortunately it was the best of bad solutions:
- We just don't have enough IPv4 addresses to dedicate one per virtual hostname.
- We could use IPv6 only which means excluding even more "legacy" clients.
- Bundling all sites under www.freebsd.org creates problems with
cookies, more pain in configuration, and less flexibility in moving
- Using SubjectAlternatName (SAN) certificates where strongly
considered, but fewer CA's support them (most have no clue) and it
becomes a lot more painful to add new hosts. Those are also not fully
supported by all older OS'es still in use.
Simon L. B. Nielsen
More information about the freebsd-questions