TLS SNI Test Site: alice.sni.velox.ch

Great! Your client [CCBot/2.0 (http://commoncrawl.org/faq/)] sent the following TLS server name indication extension (RFC 6066) in its ClientHello (negotiated protocol: TLSv1, cipher suite: ECDHE-RSA-AES256-SHA):

  alice.sni.velox.ch

In your request, this header was included:

  Host: alice.sni.velox.ch

This Web server is running Apache httpd's mod_ssl, linked against a version of OpenSSL with support for TLS extensions. Apache httpd 2.2.12 was the first official release featuring TLS SNI capabilities.

For the current connection (established at Sat Jul 12 11:37:27 UTC 2014), httpd is assuming that the certificate with CN=alice.sni.velox.ch is the correct one. Apache is configured as shown below and uses three certificates, (kindly provided by QuoVadis), where CN=alice.sni.velox.ch, CN=bob.sni.velox.ch, and CN=*.sni.velox.ch. Based on the information your client submitted, the highlighted VirtualHost has been selected for your viewing pleasure:

  Listen 443
  # NameVirtualHost is only needed for httpd 2.2.x
  NameVirtualHost *:443

  <VirtualHost *:443>
    SSLEngine On
    ServerName alice.sni.velox.ch:443
    ServerAlias carol.sni.velox.ch
    DocumentRoot /var/www/html/alice
    SSLCertificateFile /etc/pki/tls/certs/alice.sni.velox.ch.crt
    SSLCertificateKeyFile /etc/pki/tls/private/alice.sni.velox.ch.key
    # alice.sni.velox.ch.crt has a subjectAltName extension
    # with two dNSName entries: alice.sni.velox.ch and
    #                           carol.sni.velox.ch
    # Since this VirtualHost is listed first, it's also
    # the default one and will get selected if none
    # of the others match
  </VirtualHost>

  <VirtualHost *:443>
    SSLEngine On
    ServerName bob.sni.velox.ch:443
    ServerAlias dave.sni.velox.ch
    DocumentRoot /var/www/html/bob
    SSLCertificateFile /etc/pki/tls/certs/bob.sni.velox.ch.crt
    SSLCertificateKeyFile /etc/pki/tls/private/bob.sni.velox.ch.key
    # bob.sni.velox.ch.crt has a subjectAltName extension
    # with two dNSName entries: bob.sni.velox.ch and
    #                           dave.sni.velox.ch
  </VirtualHost>

  <VirtualHost *:443>
    SSLEngine On
    ServerName mallory.sni.velox.ch:443
    ServerAlias *.sni.velox.ch
    ServerAlias sni.velox.ch
    DocumentRoot /var/www/html/mallory
    SSLCertificateFile /etc/pki/tls/certs/mallory.sni.velox.ch.crt
    SSLCertificateKeyFile /etc/pki/tls/private/mallory.sni.velox.ch.key
    # mallory.sni.velox.ch.crt has a subjectAltName extension
    # with two dNSName entries: *.sni.velox.ch and
    #                           sni.velox.ch
    # Since it has a wildcard DNS name, it will match for any
    # VirtualHost below .sni.velox.ch which is not explicitly configured
  </VirtualHost>

Clicking on the ServerName and ServerAlias links should get you to these VirtualHosts. The .crt links will show the certificates in PEM format, preceded by an OpenSSL text dump.

Browsers/clients with support for TLS server name indication:

Last updated 2013-05-08, Kaspar Brand (contact: sni velox ch, insert "@" before and "." after "velox")