I need to turn off SNI for https. Payments on my website couldn’t be made, because payment provider doesn’t support sni for https.
How can I do that?
It looks like Free Plans with Universal SSL need SNI.
Paid Plans ($20 Pro or $200 Business) with Universal SSL don’t require SNI. At least according to my SSL Labs test.
I’m not sure if the $5 or $10 per month Dedicated certificate on a Free Plan requires SNI, as I don’t have any dedicated certs.
Maybe someone else can confirm this.
I have paid plan ($20) with Universal SSL and it has SNI.
Also I bought dedicated SSL, but the same problem.
Can you run the Qualys SSL Labs test? https://www.ssllabs.com/ssltest/index.html
When I run it, my Free Plan (top image) shows SNI, but my Pro Plan (bottom image) doesn’t.
It shows: This site works only in browsers with SNI support.
I am a newbie for Cloudflare, guess I have done something wrong?
- SSL = Full (Strict)
- Edge Certificates
Universal - 2 certificates
Dedicated - 2 certificates
Do I need to do something else?
I do see documentation that says Dedicated needs SNI. Maybe that’s the problem. You’d have to delete those Dedicated certs to find out for sure. At worst, you’d have to re-enable them for $5.
On our free plan we issue one certificate that requires the client browser to support SNI (Server Name indication). On our Pro plan we issue 3 certificates for your domain and client browsers do not need to support SNI. This makes our pro plan more compatible with a wider range of clients.
I have Pro plan. How I can turn off SNI?..
It’s automatically disabled if the browser doesn’t support it. Seems strange since all modern browsers support it you need to disable it because it doesn’t work.
Try deleting the dedicated certificate.
I have deleted dedicated certificate - nothing changed
What’s the domain?
That still looks like a Dedicated certificate. It should have a Common Name (CN) of Cloudflare.
Maybe it takes a while for the dedicated certificate to clear out.
It looks like the Universal cert is showing up, but it’s a Cloudflare SNI cert instead of the Comodo ssl ones I have on my paid plans.
@cloonan, his SSL/TLS appshot only shows 2 certificates for Universal. But so do my Comodo ones.
Yes, @sdayman, I noticed both of those and randomly check other pro accounts and observed the same. Is odd as I expected to see the 3, but not sure if that’s what is causing the issue.
Next bit is copied from https://support.cloudflare.com/hc/en-us/articles/204144518-SSL-FAQ:
In general, SSL certificate prioritization occurs as follows from highest to lowest priority:
Exceptions to general prioritization occur based on hostname specificity. Certificates that mention a specific hostname are preferred to wildcard certificates. For example, a Universal SSL certificate that explicitly mentions www.example.com takes priority over a certificate that matches the www hostname via a wildcard such as *.example.com.
If we’re seeing the universal cert, the priority is for some reason higher than the other. @slobodchuk, would not hurt to get in the queue with Support in case we need them to adjust/reorder certs. To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. Please share your ticket number here and I’ll make sure it’s in the proper queue.
@cloonan The ticket number is 1717603. Thanks in advance!
Perfect, thank you I see the ticket and will add myself to it.
Edit - I see the certificate on the origin and don’t see an issue that would cause it to lower priority.
Their Dedicated certificate is gone now. All that’s left is Universal. And it’s still forcing SNI. On a Pro Plan…right? According to an earlier post…
I think I know the solution!
Sometime ago Cloudflare started enabling free certificates with only the actual domain name of the user, he is using that certificate pipeline and it doesn’t issue or at least publicly supports non-SNI browsers. My website on the Pro plan on that pipeline suffers the same.
My business domain, on the same pipeline (or the same concept due to the next part of this paragraph) has an
ssl*.Cloudflaressl.com Common Name on the cert as opposed to
sni.Cloudflaressl.com. That supports SNI on the Universal cert.
@cloonan you know my domains and have access to my account, you can check internally?