On 10/24/2011 05:47 PM, Jorge Fábregas wrote: > It worked for me on IE & Firefox but then, on other machines, > I started getting the wrong certificates (turns out it was the > "last certificate" on the config).
I'm going to correct myself. At this point I'm not sure if there's something wrong with pound or the clients connecting to it. I'm leaning towards the latter. The thing is, I checked the SNI Wikipedia page for OS & browser support and thought I wouldn't have any problems in October of 2011 (based on the OS & browser of my users). It turns out I had a lot of problems that I couldn't pinpoint to a specific browser or OS (as they were supposedly SNI-ready). I also had users behind forward proxies that might not be sending the SNI bits properly. And then, the SSL validator sites: http://www.digicert.com/help/ On this one, 100% of the time that I performed a test it worked perfectly: On the other hand, this site: http://www.sslshopper.com/ssl-checker.html ...fails 100% of the time for one of my two sites. I believe now that it simply doesn't send the SNI header on its requests. Finally, I fired up my Windows XP VM (where I know it won't work as SNI is not supported) in order to see the behavior I get. And indeed, it's the same behavior I get when it doesn't work for my users (I'll get the last certificate of my config, ignoring the other one). Conclusion: It appears SNI is not widely supported. I'll be reverting back to pound stable (without SNI support) and I'll deal with the situation with another ip :( Regards, Jorge -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
