Could someone explain me the difference between these certificates in a simplified way? I read some articles but it sounds like they do the same job, namely encrypting many domains with one certificate.
If Require Server Name Indication is checked on the binding of an IIS site, OCSP stapling is disabled for the site.
This is easily confirmed by enabling SNI for a site that currently doesn't require it, and checking using https://www.ssllabs.com/ssltest/ or openssl:
openssl s_client -connect foobar.com:443 -servername foobar.com -tls1 -tlsextdebug -status
Does anyone have a workaround for this so that clients of SNI-enabled sites can enjoy the benefits of OCSP stapling?
I have Apache 2.2 with mod_ssl and a bunch of sites in HTTPS on the same IP/port with VirtualHosting, so client must support SNI to connect to those virtual hosts.
I would like to configure my server the following way:
When a user types www.dummysite.com and his browser supports SNI (Server Name Indication), any HTTP request is redirected to https:// where an HSTS header is sent. But if the browser doesn't support SNI then the request is served by HTTP.
The above rule, stated as is, is actually a fallback rule for those people that still run old browsers, as Mozilla and Chrome don't have this problem, just to avoid leaving these users out of the site.
I would like to do this redirecting at the Apache config level, perhaps with a filter on the user agent. I wouldn't like to touch running applications except making sure that no direct http:// references are present (otherwise they imply a security warning)
[Edit] (while editing the question I forgot the question): what is the list of SNI-enabled user agents to redirect?
I have an Nginx instance using SNI to serve multiple HTTPS domains from a single IP.
The only glitch with the setup is that Nginx responds with the first (acting as default) domain whenever a URL for the bare IP of the server, or a domain listed at that IP for which there is no corresponding HTTPS server block, is requested. In this case I would much prefer to simply return a standard 403 Forbidden -- I would set up a default server block to do this but I can't see a way around client certificate mismatch warnings.
(How c|C)an I configure Nginx to reject requests to such unknown/undefined domains without needing to specify a particular ssl certificate which will upset browsers? (i.e. I need Nginx to reject the request with a 403 prior to upsetting the client with a "bad" cert - from the client's POV this should be identical to the case where no HTTPS server block is defined at all.)
This is a Canonical Question about Hosting multiple SSL websites on the same IP.
I was under the impression that each SSL Certificate required it's own unique IP Address/Port combination. But the answer to a previous question I posted is at odds with this claim.
Using information from that Question, I was able to get multiple SSL certificates to work on the same IP address and on port 443. I am very confused as to why this works given the assumption above and reinforced by others that each SSL domain website on the same server requires its own IP/Port.
I am suspicious that I did something wrong. Can multiple SSL Certificates be used this way?