We're a multi-tenant service and terminate our SSL at our load balancers (HAProxy + Apache for SSL termination), this has caused growing pains due to dedicated IP requirements. But times have changed and we're considering moving to SNI so I was hoping for educated opinions for 2015 about adopting it as our standard.
I'm going to outline our assumptions:
- SSL is dead (long live TLS) due to the POODLE attack,
- TLS has SNI built in
- IE6 / Windows XP ( < sp3) are dead for many reasons, not the least of which is XP going EOL
- We've terminated support for IE7 and essentially IE8 at this point
Am I correct in assuming that SNI is essentially globally supported now?
... and ...
Are there scenarios that I should consider beyond this that would affect support?
... and finally ...
Now that HAProxy 1.5 supports SSL Termination directly, are there any caveats in your experience directly relating to SNI that will affect our ability to roll out this service?
If you consider browsers - yes.
If you have to deal with other kind of applications - not really:
Essentially, yes - though you'll likely run into some edge case users who will complain about brokenness if SNI is required. If you have the capability to tell those people "use a browser from this decade, please" for your service, then you're set.
Browser/client OS support are the big ones, though I can imagine some other fun problems with corporate networks using SSL terminating proxies that don't support passing the SNI part of the TLS handshake, which would also break SNI.
I can't speak directly to caveats with HAProxy - we're using its SSL termination but not SNI on top of it.