Our web site serves static content through a content delivery network (AWS CloudFront) which is configured to respond to a number of CNAMEs and use our SSL wildcard certificate for these hostnames. Since the CDN may serve many different virtual hosts from the same IP address, SNI support is required on the client-side.
We're well aware that some OS/browser combinations do not support SNI, so we've implemented a fallback to http based on the User-Agent header.
Yet, some customers reported back that content was not being served. There seemed to be no pattern in which browsers or OSes had the problem, e.g. a modern Chrome on a modern Windows would throw an ERR_CONNECTION_CLOSED. Also, entire offices would experience the same problem, so there was a strong indication that the problem stemmed from the network setup rather than individual clients. When we moved to a non-SNI solution the problem went away.
So, my question is if other elements in the network can thwart TLSv1 and/or SNI? Is it possible that gateways, routers, proxies, VPNs, or whatever else you might find in a network setup, can somehow prevent TLSv1/SNI from working?
Best Answer
One other possibility is HTTPS capable filtering proxy (like Squid) doing SSL Bumping and incorrectly using wrong (default) certificate based on IP address the connection is established to. See http://www.spinics.net/lists/squid/msg70666.html for a discussion that very much looks like your problem description.