homepage Welcome to WebmasterWorld Guest from 54.242.190.171
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
SSL and SNI on dynamic IP - feasible?
encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4531941 posted 11:53 pm on Dec 29, 2012 (gmt 0)

I'm thinking of getting a free SSL certificate for a web forum and having an optional secure version to cater for the paranoid members of the audience, but doing it on the cheap using SNI and maintaining the site on a dynamic IP. Is anyone doing this, do you get many complaints from XP users or from users of older browsers? Any major pitfalls?

(It's not an ecommerce site, and I don't really need SSL. I don't want to get a static IP for no real reason.)

 

ergophobe

WebmasterWorld Administrator ergophobe us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4531941 posted 10:16 pm on Jan 2, 2013 (gmt 0)

I have been looking into it, but I'd need to rebuild the VPS entirely.

You've probably gotten this far already, but you need OpenSSL 0.9.8f or later.

If you're on CPanel, you're stuck with 0.9.8e and from all I can gather, changing that while sticking with CPanel is an iffy proposition, so I've given up for now because I'm not willing to tackle the migration off CPanel on a functioning server.

ergophobe

WebmasterWorld Administrator ergophobe us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4531941 posted 10:36 pm on Jan 2, 2013 (gmt 0)

Turns out Plesk, Virtualmin and Webmin all support SNI.

But as to your original question, the latest data I can find shows XP at 39% of the desktop market and IE on XP at 47%, so you still have close to 20% who are going to have problems with SNI.

XP was losing share rapidly, but I think that the release of Windows 8, paradoxically, will keep people on XP longer. Win 8 is still under 2% and I bet if Win 7 were still the standard, you would have seen a greater increase in non-XP versions of Windows.

So for right now, I think you have to pony up and buy IPs. For me, I was just hoping to use it to lock down admin areas, so I would just use self-signed certs and modern browsers, so it wouldn't be an issue, but the hassle is too great for me for now.

src: [netmarketshare.com...]

encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4531941 posted 2:32 am on Jan 3, 2013 (gmt 0)

Thanks for the reply, the server has the latest version of OpenSSL (1.0.1c) and no cPanel to worry about, so I have no issues regarding setting it all up (well, the hosting company can do it!). I just hate the frivolous use of dedicated IPv4 addresses. I have access to plenty of IPv6 addresses, but the forum CMS doesn't support IPv6, let alone my users :)

I've checked the stats for the site in question, and there are only about 5% of visitors using the problematic IE/XP combination - and I'm guessing that not all of those users would chose the secure site.

I think I'm going to go ahead and try it out using SNI. I assume that XP/IE users would get a certificate error with a red address bar, like with a self-signed cert?

ergophobe

WebmasterWorld Administrator ergophobe us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4531941 posted 8:18 pm on Jan 3, 2013 (gmt 0)

I assume that XP/IE users would get a certificate error with a red address bar, like with a self-signed cert?


Actually, I was going to ask you the same. Please report back when you figure it out. Do you have a computer or VM with XP/IE on it so you can test?

ergophobe

WebmasterWorld Administrator ergophobe us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4531941 posted 6:06 am on Jan 25, 2013 (gmt 0)

Here's an interesting rundown of exactly what happens with SNI on Windows XP

[blogs.msdn.com...]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved