On 10/24/2011 09:12 PM, Joe Gooch wrote: > If you only configure one certificate per listener, SNI isn't an > issue... So if you have other 2.6 features you're using, no reason > to backrev.
As I was to give up on my SNI adventure a coworker decided to further investigate why some users on Windows 7 couldn't connect with IE 8 & 9. He found the culprit: the option for "TLS 1.0" on their browsers was disabled. As soon it was enabled it worked right way. I checked with a plain vanilla Windows 7 (and the stock IE) and it was enabled by default. It appears that some apps you install might disable it (antivirus etc). I never had problems with Chrome and Firefox and, since this is a controlled environment (regional offices), I can easily pass away the instructions to enable TLS 1.0 on IE: IE9 --> Internet options --> Advanced tab ---> Security Section --> Use TLS 1.0 ...so I"m happy back again using SNI with pound (BTW thank you Joe for adding this to pound!). On the other hand, for the public internet sites where I don't know the users, that will be tough as there are going to be an infinite amount of users without SNI support or with support but improperly configured. If I could just tell pound to "Redirect" all requests that come without the SNI extension... That way I could redirect them to a help page. I know the SNI extension works at the TLS level (not HTTP) but I'm wondering if, by any chance, there's any HTTP header that will indicate whether SNI is being used or not? Regards, Jorge -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
