In modern systems many services are frequently hosted on the same IP address. And each service must have its own security certificate. To differentiate certificates on one IP, SNI standard was invented (in addition to SSL).
What is SNI?
SNI (Server Name Identification) is an extension of the TLS protocol indicating which site a visitor tries to reach at establishing a connection.
Even prior to SSL handshake, SNI allows to specify the needed certificate. But in order to get everything working, the web browser a client is using must support SNI.
However, SNI technology is not supported by all browsers. And in such case an alert message will pop up indicating that the SSL certificate is invalid.
How to deal with systems not supporting SNI?
Old versions of server software and browsers do not support SNI (for example, Internet Explorer 6 and 7 for Windows XP or Android 2.0).
Some software is using old frameworks, and the customers don’t want to abandon it. They are definitely not going to update it, but the availability of services is critical.
In such case for those customers who are using older versions of browsers and frameworks it is possible to allocate a specific address and, provided there is no SNI, issue only a certificate that this customer’s software is expecting. But it is expensive and inconvenient to administer.
What have we offered?
If SNI is not requested, we issue *.gcdn.co as a default certificate. There remains just one requirement: client’s CNAME must be on *.gcdn.co domain. Then SNI will not be requested and it will be given a default certificate.
We call this feature nonSNI. And for some of our customers this nonSNI availability in CDN is an important advantage.
Browsers supporting SNI:
- Internet Explorer 7 or later
- Microsoft Edge
- Mozilla Firefox 2.0 or later
- Google Chrome 6 or later
- Opera 8 or later with TLS 1.1 support enabled
- Yandex Browser
- Safari 2.1 or later
Mobile platforms supporting SNI:
- iOS 4.0
- Android 3.0 (Honeycomb)
- Windows Phone 7