Ian G wrote:
Nelson explained this a while ago ... until the browsers go to SSL3 / TLS 1.0 they cannot handle virtual hosts.
Ian, If you're going to attribute explanations to me, please be sure you get them right.
Today the browsers support all 3: SSL2 SSL3 TLS1 The new TLS extensions are incompatible with SSL2. So until support for SSL2 is dropped, browsers will not use the TLS extensions.
However, in your case, that's probably not really such a big deal. SSL has had the ability to support multiple domain names in a single cert for years. Numerous CAs now offer certs with multiple domain names. You can serve the multiple domain names you want to serve with a single cert. The browser will send the intended domain name in the http header, as in non-secured browsing.
So my suggestion at the time was to simply set a time schedule and state in a PR that Firefox switches over to TLS 1.0 at a certain date, and sites using SSL2 would suffer.
Any time mozilla disables a feature that works in IE, it only costs mozilla marketshare. People who cannot reach a popular site with mozilla cite this as another reason to go back to IE.
(name them and shame them, I say. Take no prisoners!)
Try looking through the bug database for SSL2 bugs. There is a bug whose only purpose is to track SSL2-only sites.
The other browsers would no doubt follow suit.
See the explanation above. If IE dropped it, the other browsers with less market share would probably also immediately do so. But none of them want to lose market share to the others.
-- Nelson B _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security