It's likely the client, yes. See https://sni.velox.ch/
It should give you an idea of what your client is doing. If you only configure one certificate per listener, SNI isn't an issue... So if you have other 2.6 features you're using, no reason to backrev. Joe > -----Original Message----- > From: Jorge Fábregas [mailto:[email protected]] > Sent: Monday, October 24, 2011 8:50 PM > To: [email protected] > Subject: Re: [Pound Mailing List] Multiple SSL > > On 10/24/2011 05:47 PM, Jorge Fábregas wrote: > > It worked for me on IE & Firefox but then, on other machines, > > I started getting the wrong certificates (turns out it was the > > "last certificate" on the config). > > I'm going to correct myself. At this point I'm not sure if there's > something wrong with pound or the clients connecting to it. I'm > leaning > towards the latter. > > The thing is, I checked the SNI Wikipedia page for OS & browser support > and thought I wouldn't have any problems in October of 2011 (based on > the OS & browser of my users). It turns out I had a lot of problems > that I couldn't pinpoint to a specific browser or OS (as they were > supposedly SNI-ready). > > I also had users behind forward proxies that might not be sending the > SNI bits properly. > > And then, the SSL validator sites: > > http://www.digicert.com/help/ > > On this one, 100% of the time that I performed a test it worked > perfectly: > > On the other hand, this site: > > http://www.sslshopper.com/ssl-checker.html > > ...fails 100% of the time for one of my two sites. I believe now that > it simply doesn't send the SNI header on its requests. > > Finally, I fired up my Windows XP VM (where I know it won't work as SNI > is not supported) in order to see the behavior I get. And indeed, it's > the same behavior I get when it doesn't work for my users (I'll get the > last certificate of my config, ignoring the other one). > > Conclusion: It appears SNI is not widely supported. I'll be reverting > back to pound stable (without SNI support) and I'll deal with the > situation with another ip :( > > Regards, > Jorge > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
