I would like to know if there is any way to find out if a browser making an HTTP request supports SNI, other than verifying the user agent and guessing.
I would consider server or client side options.
What I would like to do is set up SSL certificates for multiple domains pointing to the same PHP application. I would then try to find out if the client making the request supports SNI, and if so, redirect him to the SSL enabled version.
Apache v2. 2.12 and OpenSSL v0. 9.8j and later support a transport layer security (TLS) called SNI.
where www.SERVERNAME.com is the SNI value you're testing and www.YOURSERVER.com is the domain name or IP address of the TLS-capable server you're testing. The command line uses openssl 's s_client (see s_client(1)) to connect to the server at www.YOURSERVER.com on port 443 .
Server Name Indication (SNI) is not currently supported. However, there is an open request for this feature. Users can't use multiple sign-in access if TLS inspection is enabled.
First, we know the browsers that currently support SNI:
Opera 8.0; MSIE 7.0 (but only on Windows Vista or higher); Firefox 2.0 and other browsers using Mozilla Platform rv:1.8.1; Safari 3.2.1 (Windows version supports SNI on Vista or higher); Chrome (Windows version supports SNI on Vista or higher, too).
so a cheap way is to determine the browser and if it is one of the above, it has SNI.
While this is not a best practice (preference to Feature Detection) it appears there no way to avoid it as SNI Detection requires a SSL handshake. Thus it is too late to do something after the fail of your SSL certificate.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With