Mobile app version of vmapp.org
Login or Join
Turnbaugh106

: SSL Enforced by Redirect but how to support NON-SNI Browsers I'd like my website to be SSL only but I'm faced with problem regarding the SSL certification not being supported on older browsers

@Turnbaugh106

Posted in: #301Redirect #Htaccess #SecurityCertificate

I'd like my website to be SSL only but I'm faced with problem regarding the SSL certification not being supported on older browsers such as IE8, not that I care to much but wondering if there's away around the issue using the htaccess, virtual host, or maybe even php.

My current redirect looks like this (please note that the server uses port 8080 and one of the reasons its using a request_scheme:

RewriteEngine on
RewriteCond %{REQUEST_SCHEME} =http
RewriteRule (.*) %{HTTP_HOST}%{REQUEST_URI} [R=301,L]


It there away to only redirect SNI supported browsers using htaccess or similar?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Turnbaugh106

2 Comments

Sorted by latest first Latest Oldest Best

 

@Sims2060225

Well first of all SNI is a server setting not a cert setting.

A bit of background here might help:

When a browser connects to a https website, it converts the website name to an IP address and then initiates a SSL connection to that IP address (without the address name) and checks the cert returned by the server. Then it sends encrypted web requests (including the address name this time) using that cert.

The problem is when lots of sites are hosted on the same IP address (as increasingly happens due to the fact we're running out of IPv4 IP addresses), then the initial SSL connection doesn't know which site you want to connect to, as that initial connection only has the IP address and not the website name, so it sends back the default cert which, if it doesn't match the website name you are asking for, causes a cert error to be returned to the user.

SNI (Server Name Indication) is an extension to the SSL request to also include the server name in that initial connection and hence the correct cert can be returned and the SSL connection can be established correctly.

However older browsers (and particularly IE8 on XP as the main non-SNI browser still being used despite XP's end of life status), do not support SNI.

Anyway back to your question. It appears your site is hosted by gandi.net as well as them providing your cert. It also appears they do not provide you with a unique IP address and hence you need to use SNI if you want to have a https site.

There are a few workarounds:


Gandi could provide a master cert which includes your hostname and use this as the default cert on that IP address. They are unlikely to agree to this and, even if they did it doesn't look very professional to have a cert shared by multiple different, unrelated companies. Not to mention the fact you would be sharing the cert key with others. This is only really an option if you are in full control of the server and hosting several related sites, all under your control, on the same server.
You could just not support old browsers. Only you can judge the impact of such a decision. XP users can still use a different browser - just not IE8. But whether they realise that is a valid point.
You could ask gandi if you can upgrade to a dedicated IP address account if they do that. Will presumably cost more than your currently paying.
You could move your site to another hosting company which provides dedicated IP addresses. Again there will be cost and time implications of this.
You could just stick with http only.
You could have a mixed site (http and https on same site) and only support https for some browsers as you are asking for.


Looking at the last option in more detail, the only way to do this is to use http by default and redirect certain users to https based on browser sniffing - as others have suggested. However there are several issues with this:


This will only work properly if you catch all the browser agents that don't support SNI which is not a trivial task. Alternatively you could concentrate on just the main ones you might care about (e.g. only support this workaround for XP/IE8).
This will not work in reverse - you cannot redirect a https call to http as the SSL negotiation is the first thing that happens, before the content (i.e. the redirect message) is sent. So if a non-SNI user clicks on a https link then they will get an error.
Search engines might not crawl site correctly (apparently Bing has only started supporting SNI recently and only partially: Bing and lack of SNI support).
Mixed sites are BAD for a number of reasons: confusing, difficult to administer, easier to accidentally include mixed content leading to browser alerts for the user, expose sensitive cookies in plaintext when viewing http pages, allow MITM attacks which can intercept requests to prevent upgrade to https, make SEO more difficult...etc. I would strongly encourage https everywhere (even as far as using HSTS header) rather than a mixed site.


Although not directly answering your question, hopefully that gives you more detail to help you decide if you really should do what your asking to do.

10% popularity Vote Up Vote Down


 

@Cugini213

This is actually a more common requirement than you might think. Since IE8 is the latest browser available to Windows XP users, currently 14.79% of users globally are still using IE8, according to NetMarketShare.com.

You can setup an .htaccess rule so that if the web browser (according to the User-Agent header, see List of IE8 User-Agent strings) is IE8 then even if they click on an HTTPS link in the search engine, the user is server-side redirected to a non-SSL version of your website before they ever load a page with an associated SSL certificate.

RewriteEngine on

# If web browser is IE8 then redirect to non-SSL version of website
RewriteCond %{HTTP_USER_AGENT} "MSIE 8.0" [OR]
RewriteCond %{HTTP_USER_AGENT} "OptimizedIE8"
RewriteRule ^(.*)$ %{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Otherwise, if user trying to access non-SSL version, redirect them to SSL version
RewriteCond %{REQUEST_SCHEME} =http
RewriteRule (.*) %{HTTP_HOST}%{REQUEST_URI} [R=301,L]

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme