[Solved] Subdomains showing No SNI - all but one, the missmatched one


#1

Heya guys,

I’ve been checking TLS for our domains and found one thing that confused me, for one subdomain everything is alright, but for others its showing NO SNI and cert being missmatched
subdomain example:
https://www.ssllabs.com/ssltest/analyze.html?d=cikaboca.civicatalyst.org&hideResults=on

subdomain that is showing that is missmatched:
https://www.ssllabs.com/ssltest/analyze.html?d=bestnis.civicatalyst.org&hideResults=on

even domain itself has issues with it:
https://www.ssllabs.com/ssltest/analyze.html?d=civicatalyst.org&hideResults=on&latest

What could be causing this issue?
Server is on Linux16.04 , we are using apache2. Can provide you with any needed additional info if needed.

Thanks in advance to all,
Shwele


#2

Hi @Shwele,

There is no problem with your certs, before web servers and clients supported SNI the only way to serve several certificates for different domains were to use the certificate attached to 1 ip, so to have 3 different certificates you should have 3 different ips. With SNI you can have multiple certificates attached to just 1 ip.

In this case, if a client tries to connect to your web server and this client doesn’t support SNI, it will receive the default certificate configured in your server (with default I mean the first certificate your web server loads when starting) so in your case it receives the cert covering bestnis.civicatalyst.org.

Only older clients don’t support SNI so you should not be worried about it.

Hope this helps,
sahsanu


#3

Thanks for clarification, we can close this ticket then.

And yeah that is correct, there are multiple websites on the same IP address.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.