SNI, TLS, UCC or SAN and https

I am mixing too many keywords in secure communication using https (TLS v2) per se. SSL is deprecated and TLS is going to overtake. Since https secure connection happen below https layer, so host information would not be passed to server while establishing connection and hence multiple host on single IP is practically not possible until TLS v2 which adds SNI. Single IP, Single Server, Single host and Single certificate is not the way to go for my requirement. Had been spending so many hours to figuring out …. Better 1) Understanding how it works 2) Planning how to deal with short comings 3) Choosing one over the other.

Wildcard Certificate –

*.somedomain.com would not be possible for Virtual hosting with vendor domain (naked domain) kind of scenario and may be useful to have it with more neutral domains. It is not possible to serve different domains with wildcard.

UCC or SAN --- Unified communication certificates Or subject alternative names

It can be used if the all domains owned by single entity or person --- hmm… practically not possible. Usually certificate will embed multiple domains in single cert in alternative name filed.

SNI – server name indication ---

web server can have multiple certificates --- well key/cert files would be different for different domains. So it is webserver which understands which request for which domain and send appropriate certificate. Nginx with openssl .98+ supports this but need to tell it so.

Other issues with SNI,

Restart needed for each new VHOST configuration

Operating System (OS) limitation:

1) Windows XP

a. IE 7 or 8 will not work

b. Google chrome will not work

c. Firefox actually works -- nice job Firefox (as it uses its own networking layer)

d. Safari will not work.

2) Vista

a. IE 7 +

b. Chrome

c. Safari

Due to built in TLS layer in Win XP browser which used them will not work but Firefox which uses iNSS API would be able to work on SNI Virtaul hosts.