I have just now make test of community portal www.security-portal.cz
There are SNI implemented but your SSL server test doesnt count with that feature.
Is it possible to fix it?
It's possible, but not trivial. The issue is that we rely on the Java SSL implementation in some parts of our tool, and the JDK 6 version does not support SNI. For that and several other reasons we are looking to migrate to some other SSL library, but it's going to take some time to evaluate the choices and migrate the code. But the next major version will most definitely support SNI.
thanks for your answer.
I think that you can make simple workaround because regarding wiki:
it is supported by libcurl / curl so you can reach certificate via curl and then provide data to your Java application as usual for analyzing.
JDK 7 supports this, no?
This would make a great addition to SSLLabs.
hmmm, didn't i bring this up with the developer assigned to me about a year ago? this is one of the larger reasons why i couldn't recommend your ssl/malware services with our hosting company. i'm a bit surprised that it's still not supported o_o
with SNI support, all my sites would score ~90. so your scoring and ranking system on TIM is probably wrong.
David, I am sorry that you're disappointed. The lack of support for SNI is certainly the single most important feature missing from the SSL Labs test. I am migrating the software to JDK 1.7 now, and I expect that it will support SNI reasonably soon. I didn't assign SNI very high priority for development because it is still not practical for the hosting of public SSL web sites. There is still a large chunk of Windows XP users who use Internet Explorer; they cannot use SNI.
For illustration, here's a recent report that saw Windows XP at about 46% in April: http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=11&qpcustomb=0&qptimeframe=M&qpsp=149&qpnp=11 I am sure that not all of those users run Internet Explorer, but looking at the browser stats, the situation is not significantly better http://www.netmarketshare.com/browser-market-share.aspx?qprid=2&qpcustomd=0
internet explorer is the bastard child of web browsing that sits in the
dark ages. all the other web browsers support SNI. the technically
advanced users that manage websites are more likely to be using other
browsers, at least in addition to IE, for developing and testing their
it's rather silly to wait until IE supports something before testing
it. especially when it comes to security issues.
glaringly silly if you're grading websites and blatantly failing them
based on functionality everyone supports but yourself [and older IE, on
anything new regarding SNI support? It's currently still broken. Thank you!
It's not broken. It's not supported. There's a difference
I did some research and an initial implementation. The early indications are that we'll need to largely rewrite our detection logic in order to deal with various real-life problems that come to life once SNI is enabled. So it's not going to be as easy as I had hoped.
Why? If you just include the servername TLS extension in the helo, you get the right certificate back.
If these real-life problems you've identified are related to strange server configurations, won't they already not work with the existing test because it doesn't support SNI at all? Is there a regression for sites that don't depend on SNI (and what is it, I'm curious?)
Most of the issues are not with SNI itself, but to support SNI we have to move to JDK 7, which has a different SSL implementation, and that requires a full re-test. One SNI-related issue, for example, is that JSSE in JDK 7 will abort on the SNI incorrect hostname alert. Many web servers that do not use SNI send this alert. It's ignored by browsers and most other tools, but not by JDK 7. I also have an issue of the JDK 7 sending extensions with SSL v3 protocol, which does not support extensions. These are just some of the problems that come to mind. Because of all that, the upgrade of SSL Labs is currently queued, waiting for sufficient resources for a thorough test.
I just wanted to let you know that today we deployed our first 1.1.x release (beta), which supports SNI. We're monitoring the operation to determine if there are still issues that need ironing out.