GNOME Bugzilla – Bug 641080
doesn't support TLS SNI (Server Name Indication)
Last modified: 2011-08-07 17:09:14 UTC
Epiphany doesn't use the Server Name Indication TLS extension to signal the name of the (virtual) host it wishes to contact to the SSL server. At sites where some part of the SSL handshake (which server certificate to present, whether a client certificate gets requested, etc.) is different between virtual hosts, this will cause the connection to fail to work as intended. An Apache vhost configured with "SSLStrictSNIVHostCheck on" presents a 403 Forbidden page to the user and logs the following error when contacted by Epiphany: [Mon Jan 31 16:29:48 2011] [error] No hostname was provided via SNI for a name based virtual host The above check is required on the particular virtual host I've tested against exactly because its configuration differs from that of other virtual hosts on the same server (it needs to request client certificates, whereas we don't want to trigger stupid "select client certificate" popups on the rest of the site). Wikipedia has some background information about SNI: http://en.wikipedia.org/wiki/Server_Name_Indication
This was because we were always using SSLv3 with no extensions, to support certain broken servers. libsoup has been fixed now to use TLS+extensions first, and then try again with plain SSLv3 only if that fails, so now it should be using SNI on hosts that support it. *** This bug has been marked as a duplicate of bug 581342 ***