Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Detecting browser's SNI support

I would like to know if there is any way to find out if a browser making an HTTP request supports SNI, other than verifying the user agent and guessing.

I would consider server or client side options.

What I would like to do is set up SSL certificates for multiple domains pointing to the same PHP application. I would then try to find out if the client making the request supports SNI, and if so, redirect him to the SSL enabled version.

like image 803
Gerry Avatar asked Sep 09 '11 15:09

Gerry


People also ask

What browsers support SNI?

Apache v2. 2.12 and OpenSSL v0. 9.8j and later support a transport layer security (TLS) called SNI.

How do I know if my server supports SNI?

where www.SERVERNAME.com is the SNI value you're testing and www.YOURSERVER.com is the domain name or IP address of the TLS-capable server you're testing. The command line uses openssl 's s_client (see s_client(1)) to connect to the server at www.YOURSERVER.com on port 443 .

Does Google Chrome support SNI?

Server Name Indication (SNI) is not currently supported. However, there is an open request for this feature. Users can't use multiple sign-in access if TLS inspection is enabled.


1 Answers

First, we know the browsers that currently support SNI:

Opera 8.0; MSIE 7.0 (but only on Windows Vista or higher); Firefox 2.0 and other browsers using Mozilla Platform rv:1.8.1; Safari 3.2.1 (Windows version supports SNI on Vista or higher); Chrome (Windows version supports SNI on Vista or higher, too).

so a cheap way is to determine the browser and if it is one of the above, it has SNI.

While this is not a best practice (preference to Feature Detection) it appears there no way to avoid it as SNI Detection requires a SSL handshake. Thus it is too late to do something after the fail of your SSL certificate.

like image 138
Todd Moses Avatar answered Oct 14 '22 10:10

Todd Moses