SSL and SNI on dynamic IP - feasible? - Website Technology Issues forum at WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

SSL and SNI on dynamic IP - feasible?

encyclo

11:53 pm on Dec 29, 2012 (gmt 0)

I'm thinking of getting a free SSL certificate for a web forum and having an optional secure version to cater for the paranoid members of the audience, but doing it on the cheap using SNI and maintaining the site on a dynamic IP. Is anyone doing this, do you get many complaints from XP users or from users of older browsers? Any major pitfalls?

(It's not an ecommerce site, and I don't really need SSL. I don't want to get a static IP for no real reason.)

ergophobe

10:16 pm on Jan 2, 2013 (gmt 0)

I have been looking into it, but I'd need to rebuild the VPS entirely.

You've probably gotten this far already, but you need OpenSSL 0.9.8f or later.

If you're on CPanel, you're stuck with 0.9.8e and from all I can gather, changing that while sticking with CPanel is an iffy proposition, so I've given up for now because I'm not willing to tackle the migration off CPanel on a functioning server.

ergophobe

10:36 pm on Jan 2, 2013 (gmt 0)

Turns out Plesk, Virtualmin and Webmin all support SNI.

But as to your original question, the latest data I can find shows XP at 39% of the desktop market and IE on XP at 47%, so you still have close to 20% who are going to have problems with SNI.

XP was losing share rapidly, but I think that the release of Windows 8, paradoxically, will keep people on XP longer. Win 8 is still under 2% and I bet if Win 7 were still the standard, you would have seen a greater increase in non-XP versions of Windows.

So for right now, I think you have to pony up and buy IPs. For me, I was just hoping to use it to lock down admin areas, so I would just use self-signed certs and modern browsers, so it wouldn't be an issue, but the hassle is too great for me for now.

src: [netmarketshare.com...]

encyclo

2:32 am on Jan 3, 2013 (gmt 0)

Thanks for the reply, the server has the latest version of OpenSSL (1.0.1c) and no cPanel to worry about, so I have no issues regarding setting it all up (well, the hosting company can do it!). I just hate the frivolous use of dedicated IPv4 addresses. I have access to plenty of IPv6 addresses, but the forum CMS doesn't support IPv6, let alone my users :)

I've checked the stats for the site in question, and there are only about 5% of visitors using the problematic IE/XP combination - and I'm guessing that not all of those users would chose the secure site.

I think I'm going to go ahead and try it out using SNI. I assume that XP/IE users would get a certificate error with a red address bar, like with a self-signed cert?

ergophobe

8:18 pm on Jan 3, 2013 (gmt 0)

I assume that XP/IE users would get a certificate error with a red address bar, like with a self-signed cert?

Actually, I was going to ask you the same. Please report back when you figure it out. Do you have a computer or VM with XP/IE on it so you can test?

ergophobe

6:06 am on Jan 25, 2013 (gmt 0)

Here's an interesting rundown of exactly what happens with SNI on Windows XP

[blogs.msdn.com...]