Welcome to WebmasterWorld Guest from 107.20.75.63

Forum Moderators: phranque

Message Too Old, No Replies

SSL and SNI on dynamic IP - feasible?

     
11:53 pm on Dec 29, 2012 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts: 9063
votes: 2


I'm thinking of getting a free SSL certificate for a web forum and having an optional secure version to cater for the paranoid members of the audience, but doing it on the cheap using SNI and maintaining the site on a dynamic IP. Is anyone doing this, do you get many complaints from XP users or from users of older browsers? Any major pitfalls?

(It's not an ecommerce site, and I don't really need SSL. I don't want to get a static IP for no real reason.)
10:16 pm on Jan 2, 2013 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 95


I have been looking into it, but I'd need to rebuild the VPS entirely.

You've probably gotten this far already, but you need OpenSSL 0.9.8f or later.

If you're on CPanel, you're stuck with 0.9.8e and from all I can gather, changing that while sticking with CPanel is an iffy proposition, so I've given up for now because I'm not willing to tackle the migration off CPanel on a functioning server.
10:36 pm on Jan 2, 2013 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 95


Turns out Plesk, Virtualmin and Webmin all support SNI.

But as to your original question, the latest data I can find shows XP at 39% of the desktop market and IE on XP at 47%, so you still have close to 20% who are going to have problems with SNI.

XP was losing share rapidly, but I think that the release of Windows 8, paradoxically, will keep people on XP longer. Win 8 is still under 2% and I bet if Win 7 were still the standard, you would have seen a greater increase in non-XP versions of Windows.

So for right now, I think you have to pony up and buy IPs. For me, I was just hoping to use it to lock down admin areas, so I would just use self-signed certs and modern browsers, so it wouldn't be an issue, but the hassle is too great for me for now.

src: [netmarketshare.com...]
2:32 am on Jan 3, 2013 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
posts: 9063
votes: 2


Thanks for the reply, the server has the latest version of OpenSSL (1.0.1c) and no cPanel to worry about, so I have no issues regarding setting it all up (well, the hosting company can do it!). I just hate the frivolous use of dedicated IPv4 addresses. I have access to plenty of IPv6 addresses, but the forum CMS doesn't support IPv6, let alone my users :)

I've checked the stats for the site in question, and there are only about 5% of visitors using the problematic IE/XP combination - and I'm guessing that not all of those users would chose the secure site.

I think I'm going to go ahead and try it out using SNI. I assume that XP/IE users would get a certificate error with a red address bar, like with a self-signed cert?
8:18 pm on Jan 3, 2013 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 95


I assume that XP/IE users would get a certificate error with a red address bar, like with a self-signed cert?


Actually, I was going to ask you the same. Please report back when you figure it out. Do you have a computer or VM with XP/IE on it so you can test?
6:06 am on Jan 25, 2013 (gmt 0)

Moderator

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8137
votes: 95


Here's an interesting rundown of exactly what happens with SNI on Windows XP

[blogs.msdn.com...]