SNI with Internet Explorer 9

[Gustavo Machado]

Hi guys,

I have a rather strange problem when trying to use node.js with HTTPS and SNI. In order to reproduce the error, you would have to open internet options in IE 9, and check:

SSL v2

SSL v3

TLS 1.0

TLS 1.1

(do not check TLS 1.2)

And verify that the SNICallback is not being called:

SNICallback: function(hostname){

        console.log('hostname: ' + hostname);

        ....

}

This obviously seems to be a problem with IE9 since the rest of the browsers are working fine, but there's one thing that node seems to be ignoring. IE9 starts the handshake with SSLv2, and node.js is not trying to upgrade the connection to SSLv3 (which presumably would make the SNI work on IE).

Is there anyway to make node.js try to force the secure connection with SSLv3? Am I missing something? Any help is much appreciated.

Thanks,

Gus

PS: I know IE 9 is less than optimal however company policies are forcing this specific configuration.

[Gustavo Machado]

Sorry, here's the code to reproduce the problem:

https://gist.github.com/3789357 

Gus

[Fedor Indutny]

I think IE is the only one browser that doesn't support SNI at all.

--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en

[Gustavo Machado]

Well... it must be one with the worst support for SNI, however if you add TLS 1.2 to the mix, everything will work perfectly:

[x] SSL v2

[x] SSL v3

[x] TLS 1.0

[x] TLS 1.1

[x] TLS 1.2  <-- checked it works. unchecked it doesn't work (although it should)

I have tried to access some apps hosted in nodejitsu using this config and it works (https://argentino.jit.su/) and I think they are using the http-proxy (which has the same problem). So I must be missing something (or they are not using SNI at all).

Thanks,

Gustavo

[Fedor Indutny]

This is not related to SNI at all. (I'm working at Nodejitsu).

[Gustavo Machado]

Fedor, if it's not SNI related, can you think of anything that might

be causing the following code not to work? (in chrome and firefox

it does)

var https = require('https');

var fs = require('fs');

var crypto = require("crypto");

var options = {

  SNICallback: function (hostname) {

    console.log('hostname: ' + hostname);

    return crypto.createCredentials({

        key: fs.readFileSync('default.key'),

        cert: fs.readFileSync('default.crt')

    }).context;

  }

};

https.createServer(options, function (req, res) {

    res.writeHead(200);

    res.end("hello world\n");

}).listen(8001);

Thanks,

Gustavo

[Fedor Indutny]

Sadly I don't have Windows installed neither on my macbook nor in virtual machine.

Bert, can you please look into this?

Cheers,

Fedor.

[jwr...@mtmrecognition.com]

Gustavo -  did you ever find a solution to this problem?

[ekryski]

Definitely not an expert in the area but you might want to look at this article if you haven't yet: http://en.wikipedia.org/wiki/Server_Name_Indication. Looks like any version of IE on windows XP doesn't support SNI. Also, apparently Android 2.x? Maybe this helps point you guys in the right direction?

Eric

[Felipe Gasper]

There is always:
https://alice.sni.velox.ch/

� to test SNI support in a given browser.

-FG

> --

> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+un...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>

> ---

> You received this message because you are subscribed to the Google
> Groups "nodejs" group.

> To unsubscribe from this group and stop receiving emails from it, send
> an email to nodejs+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[jwr...@mtmrecognition.com]

Thanks for the help ekryski and Felipe -

Unfortunately the error occurs on windows 7, so I believe SNI should be supported. I tried Felipe's link and it approved IE9 on W7.

[Felipe Gasper]

I tried your gist.

I had to put the key and cert into the main �options� object, but
otherwise it ran fine. I was able to connect from VMs running IE9 and
IE10 in Win7/x64.

-Felipe Gasper
cPanel, Inc.

> --

> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines:
> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nod...@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+un...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en
>

> ---

> You received this message because you are subscribed to the Google
> Groups "nodejs" group.

[Felipe Gasper]

Also, I have, by default, the following enabled:

SSL 3
TLS 1

All other SSL/TLS versions are off.

-F