FennecBlog

Recently, I discovered that eBox, a promising Ubuntu based distribution attempting to fill the same niche as Microsoft Small Business Server, gained support for SSL security on multiple Apache2 virtualhosts.

Wonderful! I thought to myself, thinking that FINALLY, someone had picked up on the fact that Apache2 has supported TLS SNI for quite some time now.

I was sorely disappointed. What they’re actually doing, is using a single SSL certificate with AltName fields. Whenever a SSL secured virtualhost is added or removed, the old certificate is revoked and a new one issued. Not pretty, and considering the alternative, not efficient either.

Ah yes, the alternative. Lets look at it. With SNI, if you added a new virtualhost, you’d just create a new certificate. No messing around revoking. Removed a virtualhost? Revoke the certificate. No messing around creating a new one. Much more efficient.

The argument that SNI is not popular is also a false one. True, as far as I know it’s not widely used, but what it is is pretty widely supported. What supports SNI? Here’s a list:

Windows Vista onwards.
Apple OS X 10.5.6 onwards.
Linux, though KDE is left out.
Any device running iOS4

Look at that last one. Any iPhone, iPod Touch, and soon iPad running iOS4 is automatically SNI capable. Go on, give it a try. Visit https://sni.velox.ch/ on your 3G or 3GS or 4, running iOS4, and have a look.

Sorry, SNI is a lot of things (awesome, best kept secret of apache2, not implemented much), but ‘not popular’ is NOT one of them.