Re: [TLS] Requiring SNI for HTTPS

David Holmes <> Thu, 29 May 2014 05:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2C8351A075A for <>; Wed, 28 May 2014 22:33:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.552
X-Spam-Status: No, score=-7.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iwX1H3eaBn6B for <>; Wed, 28 May 2014 22:33:07 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 55C811A030A for <>; Wed, 28 May 2014 22:33:07 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.97,830,1389744000"; d="scan'208";a="112331796"
Received: from unknown (HELO ([]) by with ESMTP; 29 May 2014 05:33:04 +0000
Received: from ([fe80::a5e3:d11c:e46a:e7c7]) by ([::1]) with mapi id 14.03.0181.006; Wed, 28 May 2014 22:33:03 -0700
From: David Holmes <>
To: Mark Nottingham <>, TLS Mailing List <>
Thread-Topic: [TLS] Requiring SNI for HTTPS
Thread-Index: AQHPevRMgX9NK94NLUWDO5/1+ywN2JtXB++g
Date: Thu, 29 May 2014 05:33:02 +0000
Deferred-Delivery: Thu, 29 May 2014 05:33:00 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] Requiring SNI for HTTPS
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 May 2014 05:33:09 -0000

Do you have any visibility into what percentage of visitors are now getting blocked? Either because they don't have TLS or because they don't present SNI? Or both?

-----Original Message-----
From: TLS [] On Behalf Of Mark Nottingham
Sent: Wednesday, May 28, 2014 9:13 PM
To: TLS Mailing List
Subject: [TLS] Requiring SNI for HTTPS


Recently, I migrated two of the Web sites that I host to TLS-only, using the same IP address (and thus using SNI).

The details are here:

When doing so, I decided to require SNI, returning an error when it isn't presented. This seemed like the logical thing to do; after all, if the client doesn't present SNI, it might be presented with's cert when the browser thinks it's going to, and the user gets a cert error dialog. I don't want to contribute to training them to click through those...

Anyway, a couple of questions for your collective wisdom.

1) For HTTPS, is it reasonable for rejecting SNI-less requests to be the default when the server actually uses SNI to dispatch to the correct origin? (This may be a better question for WEBSEC or elsewhere, but I thought I'd ask here first). Right now in Apache, you have to go pretty far out of your way to get this behaviour.

2) When rejecting an SNI-less request, Apache currently generates a 403 Forbidden. However, I actually suspect that a 400 Bad Request (or a new status code) would be more appropriate, since 400 is also used when Host isn't available, and this is directly analogous. 

See also the Apache bug I raised about this: <>. In particular, I don't see how sites can reasonably start requiring SNI until server-side software makes it easier to serve an error document explaining what's happening to users that don't emit it.

Any thoughts?


Mark Nottingham

TLS mailing list