SNI on ordered certificate vs Pro plan

dash-crypto
#1

Hi,

I have a question about SNI usage. We have a lot of old clients with outdated browsers without SNI support (don’t ask why). So I need a HTTPS certificate which does NOT use SNI. I know that the free, shared certificates use SNI, so not an option.
What about ordered certificates? When I order a 5$/month certificate on my free plan, does it require SNI? Or do I have to upgrade to a pro plan and with that comes a free certificate without SNI?

Thanks so much

#2

SNI is related to the server respectively protocol, not the certificate. You are probably referring to SANs. Vowels, arent they fun :wink:

Check out https://support.cloudflare.com/hc/en-us/articles/203041594-Cloudflare-SSL-cipher-browser-and-protocol-support, which should have more details. The free plan generally only supports “modern” browsers, whereas paid plans are supposed to support “all” browsers. Though, I am not sure whether SSL requests without SNI would work nonetheless. Thats probably something best to clarify via a support ticket.

@cloonan @cscharff

#3

Thanks! It would be very unfortunate if SSL requests without SNI would not work, as there are still many devices (in particular SmartTVs) which do not support it

#4

The problem is, without SNI the SSL connection is established without a specific hostname, hence Cloudflare cant present the appropriate certificate.

That is why I believe SNI will always be required but for a definitive answer you’d need to contact support. Maybe they have something up their sleeve :slight_smile:

#5

I have being delivering content to smart TVs for many years with SNI without issue. Some manufacturers have very restricted lists of supported CAs. I have to use a Globalsign custom cert on some Cloudflare proxied hostnames as a result (other CAs might work, but you will need to do the research for your required devices.)

2 Likes