I want to be able to detect if the browser support SNI - Server Name Indication. I'm hoping to redirect non compliant clients to a different address.
I was thinking of loading some content through SSL and make sure it was transfered securely. Otherwise the browser doesn't support SNI. Can this be done?
You could set up a server that supports SNI, serving two host names, on where you require SNI and one that's a fallback solution, both serving the name that they are hosting.
Something along the lines of:
https://www.example.com/name returns a representation saying I'm www.example.comhttps://www.example.net/name returns I'm www.example.net (and requires SNI).If you make an XHR request to https://www.example.net/name and it returns www.example.com, then the browser doesn't support SNI.
Not sure if this is what want but there is this
RewriteEngine on
# Test if SNI will work and if not redirect to too old browser page
RewriteCond %{HTTPS} on
RewriteCond %{SSL:SSL_TLS_SNI} =""
RewriteRule ^ http://www.example.com/too-old-browser [L,R=307]
If an old browser tried to use a site which needs SNI then it will be redirected (in this case back to http and a page saying browser is too old). But you will always get an error. It can't be avoided. The browser says hello IP...., and apache replies hello here is my certificate. If the browser does not supply SNI in the hello apache just sends default (i.e. wrong) certificate. Browser then complains.
If you want to pick this up from http before swapping to https then you could put something like this in htaccess
#Set $_SERVER['SSL_TLS_SNI'] for php = %{SSL:SSL_TLS_SNI} or value
SetEnv SSL_TLS_SNI %{SSL:SSL_TLS_SNI}
And then in your page do a https fetch from the default domain (default so browser does not say there is a security error). If SNI is working the in php $_SERVER['SSL_TLS_SNI'] will have the domain name, otherwise it will have %{SSL:SSL_TLS_SNI}. This bit of code could be improved but you get the idea.
You can only test for SNI support prior to requiring it. That is, you cannot force users onto SNI HTTPS and then fall-back if they don't support it, because they will receive an error like this (from Chrome on Windows XP) with no way to proceed.
So (unfortunately) the user has to actually begin over an insecure HTTP connection and then be upgraded only if they support SNI.
You can detect SNI support via:
Remote script
From your plain HTTP page, load a <script> from your destination SNI HTTPS server and if the script loads and runs correctly, you know the browser supports SNI.
Cross-Domain AJAX (CORS)
Similar to option 1, you could try performing a cross-domain AJAX request from the HTTP page to the HTTPS, but be aware that CORS has only limited browser support.
Sniff the user-agent
This is probably the least reliable method, and you will need to decide between having a blacklist of browsers (and operating systems) known not to support it, or a whitelist of known systems that do.
We know that all versions of IE, Chrome & Opera on Windows XP and below do not support SNI. See CanIUse.com for full list of supported browsers.
Since commercerack upgraded to SNI for all sites we've had the same issue. (Users starting checkout and getting a nasty SSL issue).
Feel free to use this as a starting point. As the list of browsers grow I will update but it does IE on XP + Android 2.0-2.2 right now.
https://github.com/brianhorakh/html-sni-useragent-sniffer-warning