Why No HTTP/2 Support on Shared Hosting?


#1

Dreamhost is falling behind the standard. All across the internet, shared hosting companies are offering HTTP/2.

HTTP/2 is important going forward. If it is not offered soon for shared hosting, we will start to move to other hosting companies.


#2

I’m not sure if they want shared hosting customers anymore. The message seems to be buy DreamCompute and roll it your way…


#3

We still love and want our shared hosting customers!

You can already enable HTTP/2 if you’re using NGINX on a VPS or dedicated machine but the team is working hard to bring HTTP/2 with apache to our shared, VPS, and dedicated servers. Testing is underway now and we’ve made a lot of progress in the last few months.

Right now a rough estimate based on the progress so far looks like it we could have it released in Q2/Q3. It all depends on how the testing goes and if any unforeseen issues pop up.

It’s not as fast as we’d like either, but hang in there, it’s almost ready!


#4

Good news it is in process of preparation/implementation.

According to W3Techs, as of January 2017, 12.7% of the top 10 million websites support HTTP/2 and growing.

I had recommended Dreamhost to a client, but they replied that Dreamhost shared hosting does not support HTTP/2 so they went elsewhere.

HTTP/2 has become a talking point in many circles. Anxiously awaiting when I can utilize the benefits it brings, especially the increased speed.


#5

After the HTTP/2 upgrade for shared servers, will we have SNI for our HTTPS websites?


#6

Our shared servers already include SNI support! That’s why you can enable secure hosting for your sites without needing a unique IP address. We’ve got a bit more info in our Knowledge Base - https://help.dreamhost.com/hc/en-us/articles/216041537-Secure-Hosting-overview


#7

Not according to a couple tests, including: https://www.ssllabs.com/ssltest/analyze.html

When I test my site, it reports: [quote] sni.dreamhost.com MISMATCH
NO SNI[/quote]My site fails the SNI check. I assume this is costing me a lot of traffic.

Is this something that needs to be fixed? Thanks


#8

Sounds like your secure hosting is misconfigured.

SNI has been available at DreamHost for quite some time now, and zillions of DreamHost sites are operating over HTTPS thanks to SNI.

Just for fun, I searched Twitter, found a few sites vying to be DreamHost site of the month, verified they’re on shared hosting, and ran them through the Qualsys SSL Labs checker. Most sites I tested got A grades and the checker reported “This site works only in browsers with SNI support” – exactly what you’d expect to see.

The problem you’re having is with how your site is configured, not with DreamHost’s server stack. Ask support to assist you by launching a live chat session or filing a ticket.


#9

Weird. I just tried one of my domains on shared hosting with LetsEncrypt certificate and I get no SNI error. Can you supply a domain you tested on ssllabs?

The result I get from shared.senzabidet.com on sslabs.com says: This site works only in browsers with SNI support.


#10

SSL labs says “No SNI” for https://www.apassion4jazz.net/

The site gets very good scores in all categories BUT it fails SNI


#11

Is there a staff person willing to address this?

This is the report from : https://www.ssllabs.com/ssltest/analyze.html for https://www.apassion4jazz.net/

[quote]
NO SNI

Common names sni.dreamhost.com MISMATCH
Alternative names -
Valid from Tue, 11 Aug 2015 18:24:23 UTC
Valid until Fri, 08 Aug 2025 18:24:23 UTC (expires in 8 years and 3 months)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer sni.dreamhost.com Self-signed
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency No
OCSP Must Staple No
Revocation information None
Trusted No NOT TRUSTED[/quote]


#12

Can anyone from Dreamhost staff explain why my site fails the SNI test?


#13

To be clear is this a self-signed certificate generated by dreamhost or a let’s encrypt certificate or a paid certificate?

From my kitchen window that look like the problem. It doesn’t look like it’s a CA signed certificate.

…but I’m not staff.


#14

Thank you for sharing your site’s domain name. I checked ssllabs and your site is not failing the test. It passes with full votes the SSL tests. Here is a screenshot: http://imgur.com/T8qtBCw


#15

You missed it.

Your screen shot shows the top of the report. You need to scroll down to the next section where it says NO SNI.

There it says why my site fails the SNI test. It explains that the SNI for my site is MISMATCHED with that of sni.dreamhost.com.


#16

I see that SSLabs reports a certificate #2 but I don’t see any errors in the browsers, nor in openssl s_client so I thought that such #2 was not relevant. I asked a couple of colleagues to dig deeper and we found that the second certificate seems to show up reliably only in SSLabs reports. We pulled your site’s certificate using openssl s_client & sslscan for a few hours and we’ve seen the wrong certificate being served a couple of times only. So there seems to be something strange in the way DreamHost’s Apache does things.

The thing is that the browsers don’t seem to be confused and most of the times ssl clients also get served the correct certificates with SNI and all. The error seems to be totally random, which means hard to replicate and to fix (which means also that it won’t be fixed unless its impact on business is high.)

How is your site being impacted by this second certificate?


#17

Don’t know. I was alerted to this by a potential client that wanted me to move his 2 sites. I was going to put them here on shared hosting, but he ran that test and declined.
I lost the client because he thought I was ignorant about the situation. Then I tested my site and he was correct.


#18

There’s no way of knowing how much traffic I’m loosing.

I’m not going to know who is not able to connect to the server because of the SNI failure.


#19

How many customers/domains are impacted?

It seems like if this can be replicated on one domain in a few hours time with a few hits, that an automated testing script should be able to find many many instances in a few hours if the domains tested is expand.

Don’t “seem” to be confused? How do we know that?

The impact on business is high if one browser fails and a customer is lost.


#20

Agreed. When it is our business and our customer, everything is “high impact.”

At any rate, the support ticket I submitted has been elevated and someone should be looking further into this issue. This seems like a significant failure that would be affecting everyone’s site.