Server Name Indication (HTTPS without private IP)

Why isn’t dreamhost using Server Name Indication for TLS?

This way we wouldn’t need a static IP.

I found a suggestion here but it is not going anywhere unless people vote.

Suggestion name: HTTPS without unique IP address
Under: Domains - Manage

Please vote people!!!

That suggestion was marked completed. So how do I use SNI on Dreamhost?

The marking on that suggestion is be wrong. We do not currently support SNI, as it is still new enough that a large fraction of web browsers (including all versions of Internet Explorer on Windows XP, as well as many mobile browsers) cannot connect securely to sites using SNI. Using SNI simply isn’t a viable option yet, and probably will not be until either Windows XP passes out of common usage, or Microsoft releases a patch which enables SNI on Windows XP.

I don’t actually care whether the majority of web browsers support SNI or not as I do not need to allow secure access from all browsers – just mine will do.

For example, I just want to use https to edit my blog posts. I do not need Dreamhost to provide my website with a unique IP address just for that! I just need: a) SNI support on the Dreamhost side, b) SNI support in my browser. (b) is my business, not Dreamhost’s.

I understand that Dreamhost has to concern itself with users who will see the cheaper (no unique IP address) option, pick it, then complain that “gee, it doesn’t work from certain browsers”. Worse, those users might train their users to just click OK on the “give your money to the bad guys” dialog, which is bad. One way to address such concerns would be to allow the SNI approach only for users who specifically request it (if you know what it is and related issues, then chances are you know what you’re doing).

That is pretty much the exact reason why we’ve held off on supporting SNI.

One other possible solution we may end up using would be to require a unique IP for professionally signed certificates, but allow SNI for self-signed certs (since those will usually throw certificate warnings anyway).

andrewf: I understand your position. However, I still want SNI. There are good reasons to want it: a) I’m not doing any commerce, so training users to click through that dialog doesn’t bother me, b) we (Dreamhost and its customers) also need to train browser vendors/communities to add support for SNI and users to upgrade.

In any case, I badly, badly want TLS for the Dreamhost XMPP service. I’d also like to be able to use HTTPS for editing my blogs. I don’t mind using self-signed certs for either of those two purposes, so I’ll take that if it’s the only option you’ll give me, but I’d rather have “professionally signed” certificates.

I see that Google App Engine will soon support SNI, so it is becoming more mainstream:

One idea for marketing SNI is as “SSL for HTML5 sites,” since any site that requires HTML5 features can only run on browsers/OSes that support SNI.

I know this is an old thread but I’d like to awaken it again and +1 it :slight_smile:


-1 :: if SSL is “important” then do it “correctly” :slight_smile:


What’s the big deal about not reserving an IP per ssl vhost?

I too want SSL,and I really dont care if all users cant use it. I need it to manage sites. The price to implement HTTPS with a shared cert is currently about the same price as simply using another hosting provider that offers HTTPS with a shared SSL cert anyways, and I still get unlimitied bandwidth, storage, one click installs etc. So it really cant be that difficult to implement at dreamhost.

If I find that webhost comparable, then I suppose I will move all my sites away. Wouldnt you?