Can I detect if the SSL client doesn't support Server Name Indication and provide the standard HTTP website in that case?

tls

I will need to use SSL SNI, but unfortunately from a recent Cloudflare blogpost only 90% of the network supports it. How can I (for example, with nginx) detect if the client supports SNI and provide/redirect to the HTTP version of the website? Is this possible? How else can I not lose the 10% of the traffic using SNI? Is it correct to assume that I wouldn't be able to redirect HTTPS traffic to HTTP without a valid certificate, and thus this request is impossible?

Thank you.


Solution 1:

If you want to offer HTTPS from start you must provide a certificate accepted by the client from start. Because otherwise the client will not accept the SSL connection and you will not be able to redirect the client to a different site or a HTTP-only version. This means to support this case you

  • either need to have a single certificate containing all your domains, so that you can provide non-SNI clients with a proper certificate. But in this case you don't need SNI at all.
  • or you have to install some default certificate which does not match most of your names. In this case you can only provide the client a different page or redirect it if the client accepts this bad certificate.

If you don't need to have HTTPS from start, that is if the client usually connects first with plain HTTP, then you could try to detect SNI support so that you can redirect the client later. This might be done by including an image, some JavaScript or similar stuff from your HTTPS-site and if the loading succeeds then you know that the client either supports SNI or ignores certificate errors.

Of course this leaves everything open to man-in-the-middle attacks, because all the man-in-the-middle has to do is to serve some different certificate or make HTTPS unavailable at all, because in this case you will never try to upgrade the connection to HTTPS. Additionally this can be used to make it look like the clients supports SNI, if the man-in-the-middle does it instead. And not only non-SNI clients are affected by this but SNI-capable clients can only be intercepted. So while this would be possible in theory it is not recommended because you can simply man-in-the-middle everything and thus make the main point of using HTTPS moot.

Related

"net.c:577: sendmsg() failed: Operation not permitted" in dig Output
Do I need a CPU that supports Virtuallization to do Containerization?
Missing nameservers reported by parent and your nameservers
HaProxy - 502 Bad Gateway : HTTP spoken on HTTPS port
Reset GID/UID auto-increment numbers
Install sqlite latest version on Centos6.7
When do STALE arp entries become FAILED when never used?
delete rsnapshot directories
How to use WMIC to connect to remote machine and output OS information to a file?
Letsencrypt - do I need to keep ".well-known" accessible for certificate renewal?
Use LetsEncrypt certs with Neo4j
How can I enable remote access to the Admin page in CUPS