Why SAN's Are limited to 100 domains only

What i mean is why or for what reason Let's Encrypt Doesn't Support SAN's for more than 100 domains ? I know its a stupid question but curiosity remains

2 Likes

I don't know the actual reason, but I think it's a reasonable limit:

Certs start to get excessively large with too many SAN's, (significantly) increasing load times and at some point handshakes with clients will fail.

For example, a cert with 1000 SAN's has noticeable load time on my machines: https://1000-sans.badssl.com/, especially less optimized implementations or embedded machines have trouble here.

And this 10.000 SAN cert even exceeds TLS Handshake message size limitations, failing everything: 10000-sans.badssl.com

But 100 SANs shouldn't inflate the certs too much and should be handled everywhere. As SNI has significant client support, more than 100 should not be needed - just generate more certs. Therefore there is no real reason to allow more than 100: It just increases the risk of problems.

5 Likes

Yeah 1000 limit is not that appreciable , well its not a problem but just looking into it 250 dns SAN's ?

I have a query too , Is it possible to use a SAN ssl on different domains which are on different hosting but are on the same SAN certificate

2 Likes

Yes, but you may have trouble obtaining such a cert via HTTP validation.

A prefect example here is a wildcard cert (which requires DNS validation).
Wildcard certs can match a very large number of servers; all of which can have completely separate IPs and hosting.
And wildcard certs are obtained via DNS; So, you can have many different domains validated during the same request and will all be included into the same cert.

3 Likes

Perhaps making the limit an actual character length might be more significant.
Like:
Hard limit = 2500 characters
[so the smaller the FQDNS, the more of them will fit into the SAN]

2 Likes

If you're going down that road @rg305 you might as well calculate the entire size of the final certificate, so that 4096 bits of RSA public key will limit your SAN size drastically whereas ECDSA would give you more room for a lot of SAN entries.

5 Likes

@Osiris, I love that idea!

Maybe something like along the lines of:
4096 = 25 entry limit [or an actual byte count X]
2048 = 100 entry limit [or an actual byte count X+2K]
256/384 = 250 entry limit [or an actual byte count X+3.5K]

2 Likes

At what point does the validation process count as mutual DoS warfare?

:bomb:

We're under attack!

Nope, that's just the 32,362nd domain name validation.

3 Likes

You joke, but this is indeed another reason we limit the number of SANs per certificate: we've seen authoritative DNS servers treat it as a DoS attack when we simultaneously look up 100 hostnames (and their CAA records) from multiple vantage points. (CAA lookups themselves are usually multiple queries, when the exact hostname doesn't have CAA and we "climb the tree" to the parent domain and TLD.)

5 Likes

That doesn't surprise me. I wasn't sure of the threshold though. Suppose it depends on the sensitivity of the defensive apparatus involved.

4 Likes

Oh, it looks somewhat mystery to me . But still its not possible for 99% of users to successfully get 100 domains in one SAN , I saw this only possible with some SSL generators with APIs

2 Likes

If validations are good for (up to) 30 days...
One can easily validate 100 names and then ask for them all on one cert.

3 Likes

It's a limit for the sake of having a limit (the technical limit is much larger), and because if you don't have one people will go ahead and stuff as many names as they can onto one cert, slowing down handshakes etc. It's a pretty reasonable limit.

2 Likes

Its really reasonable limit , I am just wondering if what is possible and whats not !

2 Likes

In all fairness, on average it is probably too large; as it is too simple to misuse/abuse such a free system; One that is (mis)used by all too many complete novices and those that use production systems for testing. [sure that their implementations are flawless only to hit rate limits due to excessive failures]
And like those that incorrectly use containerized systems improperly and force it to generate a cert every time it is started. [Is it wasteful to discard a free item? (YES)]
But implementing any kind of graded scale protection against such misuses would require more time and effort (i.e. $$$) than any benefit it could possibly yield.
So, I agree that a one-size-fits-all is the most efficient means to resolve it.
And I strongly believe that LE should change that "one-size" and any and all other limits as it sees fit to maintain their systems (integrity, scalability, cost efficiency, convenience, etc.).
[(freedom and) free should come at a price]

2 Likes

@rg305 i didnt get you this time , What do you mean ?

My personal rule is that only aliases (domain names pointing to the same webroot directory) should share the same certificate.

2 Likes

LE should be flexible and react to "trends".
I suppose, over time as thing become more secure and automated, efficiency will increase and perhaps then certain limits could be raised.
Until then, or if things take a turn for the worse, they should do w/e they need to do to keep their systems at peak operational levels.
Even if that means limiting SANs to 10 names (not that I think this will ever happen).

The point is "beggars can't be choosy".
Things are kept FREE when it is convenient for the giver (it is always convenient for the taker).
Let's do our best to keep it that way and allow them to keep it that way.

2 Likes

Its true , it costs LE to do it for free and the thing which I will tell you is , Common Man never abuses or uses LE , I mean they gen, only 5 to 7 (max) from LE . I feel very very sad saying that organisations like Wordpress (.com) and many others really say in their pricing that They provide a FREE SSL but poor people dont know anything . If you do a little research you will get to know that all profit organisations use LE for their own benifit . Not common people .
Common People Arent beggars though

2 Likes

@rg305 If you ask i can practically show you everything that shows that Common People ( I say common man) (A Very Very Very few people abuse service (I am saying this from the indivisuals))

Now about organisations. They get money from customers but they dont give them paid ssl they churn LE for their Profit , It should be stopped but when i think so , I see a wall that says me who are you to Stop this ?

2 Likes