TLS SNI – almost there… or not?

As e-commerce is gaining momentum all over the world, so is the need of e-commerce platforms and infrastructure. For 2008 US eCommerce and Online Retail sales alone projected to reach $204 billion, an increase of 17 percent over 2007. And that’s not only the big players – more and more smaller brick and mortar shops open their on-line versions and many individuals are also selling their products or services on-line.

One very important aspect is the need for secure connection between sellers and prospective buyers. That’s were SSL/TLS come into play. The TLS protocol allows applications to communicate across Internet in a way designed to prevent eavesdropping, tampering, and message forgery. TLS provides endpoint authentication and communications confidentiality by using cryptography. If we talk about web that’s the https protocol.

With virtual web hosting, which is the most common type of shared hosting, one web server provides many domains through the same IP address and port. The server examines each request to determine which domain is being served by looking at HTTP request headers. Unfortunately, when the appropriate headers are received the server has already established the secure connection and cannot change to another SSL certificate.

So, SSL enabled virtual hosting isn’t exactly possible. Every SSL site need it’s own dedicated IP address. And there are quite a lot SSL sites out there lately, so quite a lot IP addresses are wasted.

An extension to TLS called Server Name Indication (SNI) addresses this issue. By sending the name of the virtual domain as part of the TLS negotiation it enables the server to “switch” to the correct virtual domain early and present the browser with correct SSL certificate.

The most popular web server software on the Internet, the apache web server, has had support for TLS SNI as external patch for some time (in combination with OpenSSL). It’s integrated since version 2.12 and recently even entered the Debian testing repository.

All major browsers have TLS SNI support as well, so we are almost there. Current versions of Firefox, Internet Explorer, Opera, Google Chrome, Safari do support TLS SNI. Or… wait… Internet Explorer for Windows XP doesn’t support it? Yeah, that’s right. Seems we are out of luck, because despite Microsoft releasing Vista and Windows 7, the now eight years old Windows XP is still the most popular desktop operating system on the planet.

This entry was posted in Misc and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *