AnsweredAssumed Answered

SSL/TLS test ignoring "www" subdomain, only testing bare domain. SNI issue?

Question asked by heypete on Jan 14, 2013
Latest reply on Feb 11, 2013 by heypete

Hi folks,

 

My web hosting company recently enabled HTTPS hosting using SNI (too bad for IE users on XP, but such is life).

 

I decided to test the setup using the SSL/TLS tester offered by Qualys but have run into an interesting issue: if one wishes to test the (fictitous) "www.example.com" the tester connects to the server but appears to use SNI to tell the server it wants the certificate for "example.com". As no site is configured on "example.com", the server has no idea what certificate it should send and so it sends the default one (which is for the hosting company, not for their clients). Naturally, the tester complains that the certificate does not match the server name.

 

This does not appear to be desired behavior.

 

I also note on the list of "recently seen" sites on the tester's main page, there's no sites with the "www" subdomain -- is this simply for display purposes or does the tester assuming that "www.example.com" = "example.com"?

Outcomes