Mercurial > hg > nginx-site
comparison xml/en/docs/http/configuring_https_servers.xml @ 661:e1579b244800
SNI: expressed more clearly that passing of literal IP addresses in
an SNI is prohibited by RFC, and that one should not rely on a few
misbehaving browsers, notably Safari (both desktop and mobile).
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Thu, 30 Aug 2012 09:43:14 +0000 |
| parents | ba45bd0fc71e |
| children | 2ceaef0e84a1 |
comparison
equal
deleted
inserted
replaced
| 660:ba45bd0fc71e | 661:e1579b244800 |
|---|---|
| 6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> | 6 <!DOCTYPE article SYSTEM "../../../../dtd/article.dtd"> |
| 7 | 7 |
| 8 <article name="Configuring HTTPS servers" | 8 <article name="Configuring HTTPS servers" |
| 9 link="/en/docs/http/configuring_https_servers.html" | 9 link="/en/docs/http/configuring_https_servers.html" |
| 10 lang="en" | 10 lang="en" |
| 11 rev="2" | 11 rev="3" |
| 12 author="Igor Sysoev" | 12 author="Igor Sysoev" |
| 13 editor="Brian Mercer"> | 13 editor="Brian Mercer"> |
| 14 | 14 |
| 15 <section> | 15 <section> |
| 16 | 16 |
| 363 <section id="sni" name="Server Name Indication"> | 363 <section id="sni" name="Server Name Indication"> |
| 364 | 364 |
| 365 <para> | 365 <para> |
| 366 A more generic solution for running several HTTPS servers on a single | 366 A more generic solution for running several HTTPS servers on a single |
| 367 IP address is | 367 IP address is |
| 368 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLSv1.1 | 368 <link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS |
| 369 Server Name Indication extension</link> (SNI, RFC3546), | 369 Server Name Indication extension</link> (SNI, RFC 6066), |
| 370 which allows a browser to pass a requested server name during the SSL handshake | 370 which allows a browser to pass a requested server name during the SSL handshake |
| 371 and, therefore, the server will know which certificate it should use | 371 and, therefore, the server will know which certificate it should use |
| 372 for the connection. | 372 for the connection. |
| 373 However, SNI has limited browser support. | 373 However, SNI has limited browser support. |
| 374 Currently it is supported starting with the following browsers versions: | 374 Currently it is supported starting with the following browsers versions: |
| 397 and Chrome (Windows version supports SNI on Vista or higher, too). | 397 and Chrome (Windows version supports SNI on Vista or higher, too). |
| 398 </listitem> | 398 </listitem> |
| 399 | 399 |
| 400 </list> | 400 </list> |
| 401 <note> | 401 <note> |
| 402 If a server is accessed by an IP address, most browsers will | 402 Only domain names can be passed in SNI, |
| 403 not pass it as a server name during the SSL handshake. | 403 however some browsers may erroneously pass an IP address of the server |
| 404 as its name if a request includes literal IP address. | |
| 405 One should not rely on this. | |
| 404 </note> | 406 </note> |
| 405 </para> | 407 </para> |
| 406 | 408 |
| 407 <para> | 409 <para> |
| 408 In order to use SNI in nginx, it must be supported in both the | 410 In order to use SNI in nginx, it must be supported in both the |