What happens when a browser does not support SNI

A seemingly simple question, but valid nonetheless.

What exactly happens when a browser which does not support SNI attempts to visit a site configured to force SSL via SNI.

Thanks


That depends on how your web server reacts when receiving a HTTPS request without SNI. (If you want to test it, you can simulate a non-SNI browser with openssl. Basic HTTP protocol knowledge required.)

With IIS 10, the following happens:

  • If there is a "default SSL site" (a site bound to port 443 without a host name) configured, the non-SNI client will see:

    • the certificate of the default (wrong) SSL site (usually resulting in a certificate warning, unless you configured your default SSL site certificate to include SANs for all sites hosted at your IP address) and
    • the content of the requested (correct) site (after the user dismissed the certificate warning).

    This makes perfect sense:

    1. The SSL handshake happens before the HTTP request can be transmitted. Thus, without SNI support from the browser, the server has no option but to return the default SSL site certificate.
    2. After the SSL connection has been established (using the "wrong" certificate), the server receives the HTTP request, reads the requested host name via the Host: header and returns the correct content.
  • If there is no "default SSL site" configured, the connection will be closed.

(Source: Just tested it with an old Windows XP IE8 virtual machine.)


It will probably connect to the default SSL virtual host. In other words, the same site you'd see if you connect using the IP: https://1.2.3.4/


It won't be able to load the website, that's for sure. Which is why no large sites will move to SNI-hosted HTTPS sites anytime soon. IE6 and IE7 in XP appear to be the largest old browsers that don't support SNI.

If you can get a hold of a non-SNI supporting browsers, you can see what happens by going to https://alice.sni.velox.ch/

It also appears to matter which server software you are using. With Apache, browsers without SNI support will just get the first configured website (and a hostname mismatch warning probably).