SNI is becoming more and more popular, since you don’t need a dedicated IP address for every SSL certificate. I wouldn’t quite recommend it for your web store yet (it’s not supported by any version of Internet Explorer on Windows XP - though Google and Apple both found it easy enough to do on all versions), but if you’re just looking to secure your blog’s login form to prevent sending your password across the internet in plain text it’s great. Pair it with free SSL certificates from StartSSL and you’re good to go!

I was using a NodePing check to alert me to any expiring SSL certificates on my sites and one of them went off recently. I checked and it didn’t expire for another 2 years, so I was confused. Checking the error message returned, I saw “invalid / Wildcard domain mismatch”. Since it worked fine in any browsers I loaded, it could only be because their check doesn’t support SNI.

Trying to find some other way to verify my theory, I could only find tips on validating normal SSL certificates with the openssl command. After quickly skimming the help files, I found that you can actually tell OpenSSL to send the necessary SNI request:

openssl s_client -servername -connect

Just set the -servername parameter to the name of the vhost you want to test and you’re good to go.

Originally published and updated .
comments powered by Disqus