[Solved] Subdomains showing No SNI - all but one, the missmatched one

Shwele · April 11, 2018, 1:29pm

Heya guys,

I’ve been checking TLS for our domains and found one thing that confused me, for one subdomain everything is alright, but for others its showing NO SNI and cert being missmatched
subdomain example:
https://www.ssllabs.com/ssltest/analyze.html?d=cikaboca.civicatalyst.org&hideResults=on

subdomain that is showing that is missmatched:
https://www.ssllabs.com/ssltest/analyze.html?d=bestnis.civicatalyst.org&hideResults=on

even domain itself has issues with it:
https://www.ssllabs.com/ssltest/analyze.html?d=civicatalyst.org&hideResults=on&latest

What could be causing this issue?
Server is on Linux16.04 , we are using apache2. Can provide you with any needed additional info if needed.

Thanks in advance to all,
Shwele

sahsanu · April 11, 2018, 1:46pm

Hi @Shwele,

There is no problem with your certs, before web servers and clients supported SNI the only way to serve several certificates for different domains were to use the certificate attached to 1 ip, so to have 3 different certificates you should have 3 different ips. With SNI you can have multiple certificates attached to just 1 ip.

In this case, if a client tries to connect to your web server and this client doesn’t support SNI, it will receive the default certificate configured in your server (with default I mean the first certificate your web server loads when starting) so in your case it receives the cert covering bestnis.civicatalyst.org.

Only older clients don’t support SNI so you should not be worried about it.

Hope this helps,
sahsanu

Shwele · April 11, 2018, 3:24pm

Thanks for clarification, we can close this ticket then.

And yeah that is correct, there are multiple websites on the same IP address.

system · May 11, 2018, 3:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.