TLS SNI Test Site: *.sni.velox.ch

Great! Your client [Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0] sent the following TLS server name indication extension (RFC 6066) in its ClientHello (negotiated protocol: TLSv1.2, cipher suite: ECDHE-RSA-AES256-GCM-SHA384):

  sni.velox.ch

In your request, this header was included:

  Host: sni.velox.ch

This Web server is running Apache httpd's mod_ssl, linked against a version of OpenSSL with support for TLS extensions. Apache httpd 2.2.12 was the first official release featuring TLS SNI capabilities.

For the current connection (established at Tue Aug 2 16:26:55 UTC 2016), httpd is assuming that the certificate with CN=*.sni.velox.ch is the correct one. Apache is configured as shown below and uses three certificates, (kindly provided by QuoVadis), where CN=alice.sni.velox.ch, CN=bob.sni.velox.ch, and CN=*.sni.velox.ch. Based on the information your client submitted, the highlighted VirtualHost has been selected for your viewing pleasure:

  Listen 443
  # NameVirtualHost is only needed for httpd 2.2.x
  NameVirtualHost *:443

  <VirtualHost *:443>
    SSLEngine On
    ServerName alice.sni.velox.ch:443
    ServerAlias carol.sni.velox.ch
    DocumentRoot /var/www/html/alice
    SSLCertificateFile /etc/pki/tls/certs/alice.sni.velox.ch.crt
    SSLCertificateKeyFile /etc/pki/tls/private/alice.sni.velox.ch.key
    # alice.sni.velox.ch.crt has a subjectAltName extension
    # with two dNSName entries: alice.sni.velox.ch and
    #                           carol.sni.velox.ch
    # Since this VirtualHost is listed first, it's also
    # the default one and will get selected if none
    # of the others match
  </VirtualHost>

  <VirtualHost *:443>
    SSLEngine On
    ServerName bob.sni.velox.ch:443
    ServerAlias dave.sni.velox.ch
    DocumentRoot /var/www/html/bob
    SSLCertificateFile /etc/pki/tls/certs/bob.sni.velox.ch.crt
    SSLCertificateKeyFile /etc/pki/tls/private/bob.sni.velox.ch.key
    # bob.sni.velox.ch.crt has a subjectAltName extension
    # with two dNSName entries: bob.sni.velox.ch and
    #                           dave.sni.velox.ch
  </VirtualHost>

  <VirtualHost *:443>
    SSLEngine On
    ServerName mallory.sni.velox.ch:443
    ServerAlias *.sni.velox.ch
    ServerAlias sni.velox.ch
    DocumentRoot /var/www/html/mallory
    SSLCertificateFile /etc/pki/tls/certs/mallory.sni.velox.ch.crt
    SSLCertificateKeyFile /etc/pki/tls/private/mallory.sni.velox.ch.key
    # mallory.sni.velox.ch.crt has a subjectAltName extension
    # with two dNSName entries: *.sni.velox.ch and
    #                           sni.velox.ch
    # Since it has a wildcard DNS name, it will match for any
    # VirtualHost below .sni.velox.ch which is not explicitly configured
  </VirtualHost>

Clicking on the ServerName and ServerAlias links should get you to these VirtualHosts. The .crt links will show the certificates in PEM format, preceded by an OpenSSL text dump.

Browsers/clients with support for TLS server name indication:

• Opera 8.0 and later (the TLS 1.1 protocol must be enabled)
• Internet Explorer 7 or later (under Windows Vista and later only, not under Windows XP)
• Firefox 2.0 or later
• Curl 7.18.1 or later (when compiled against an SSL/TLS toolkit with SNI support)
• Chrome 6.0 or later (on all platforms - releases up to 5.0 only on specific OS versions)
• Safari 3.0 or later (under OS X 10.5.6 or later and under Windows Vista and later)

Last updated 2013-05-08, Kaspar Brand (contact: sni velox ch, insert "@" before and "." after "velox")