Re: uses an invalid security certificate

From: Wichert Akkerman <wichert(at)wiggy(dot)net>
To: Jeremy Baron <jeremy(at)tuxmachine(dot)com>
Cc: spi-general(at)lists(dot)spi-inc(dot)org
Subject: Re: uses an invalid security certificate
Date: 2014-03-03 07:48:54
Views: Raw Message | Whole Thread | Download mbox
Lists: spi-general

On 02 Mar 2014, at 18:02, Jeremy Baron <jeremy(at)tuxmachine(dot)com> wrote:
> On Feb 27, 2014 6:46 PM, "TJ" <spi-inc(at)iam(dot)tj> wrote:
> > Most sites and browsers support SNI in which case multiple IPs aren't required, although to
> > handle those user agents that don't support SNI it is usual to make the server's default site
> > be the primary HTTPS site for the organisation.
> I thought the point of using multiple IPs was to allow one to accept HTTPS and one to not listen to 443 at all. (Not something you can do with SNI…)

The point of multiple IPs is to allow you to use multiple SSL certificates, since SNI is nice but in the real world still unusable due to the large number of people still using Windows XP which does not support SNI. SPI does not have extra IP addresses to spare as far as I know, and an ISP is not likely to give you extra IP space if your rationale is “I want to serve sites without SSL”.

Randomly trying to access a site by changing a HTTP url to HTTPS one is likely to result in problems. SPI is not unique in that aspect.


Browse spi-general by date

  From Date Subject
Next Message Jonathan McDowell 2014-03-12 16:48:32 SPI Meeting Reminder: Thursday 13th March, 2014 @ 20:00 UTC
Previous Message Jeremy Baron 2014-03-02 17:02:03 Re: uses an invalid security certificate