SSL certificates for multiple virtual hosts: problem on IE for Windows XP

Using a single server for multiple virtual hosts is something that comes naturally nowadays for any web server sysadmin. Using SSL certificates is also common (particularly so since the infamous Blacksheep extension for Firefox as published a few years back). However, the mixing of SSL and virtual hosts might not be as easy as you might think. At least for some of your users... Some browsers in some old (but better than more recent, some might say) proprietary operating systems are resisting the trend. Erick, on our team, investigated a strange side effect of enabling a second SSL certificate on one of our multiple-virtual-hosts servers recently. It so happens that, when enabling the second certificate, Internet Explorer on Windows XP starts shouting that the site is not safe, with a huge warning similar to the one you get with self-signed certificates (the screenshot is in Spanish here, sorry, but you get the idea). [caption id="attachment_3619" align="aligncenter" width="300"]Image removed. SSL warning in IE under XP[/caption] You can read more about the problem with having several SSL certificates on a single server, and the solution thereof on the Apache Foundation's wiki, but to be short, a fix has been developed under the name of SNI, as an extension to SSL. Most browsers support that extension but, quite unsurprisingly, Internet Explorer on Windows XP doesn't. [caption id="attachment_3620" align="aligncenter" width="300"]Image removed. Browsers support for SNI[/caption] So, if you have any Internet Explorer user under XP, well, let's say that you will probably have to deploy a lot of efforts to give them security on your website. From the top of my mind, you could use a special redirect just for this case (based on the User Agent, I suppose) so that these users can use your site without SSL, or to give them a first page of warning before you send them to the site, that will alert them that it is supposedly not secure, and where you could tell them how to accept the certificate (because honestly, without reading the page in detail, they will just freak out). Of course, yet another solution is to make sure that all sites that use SSL are on different servers, but that's probably just not an option. But seriously... Internet Explorer, SERIOUSLY ???


The problem is quite old.

Only one SSL certificate per IP (not per Server; my Servers have multiple ip's).

Quite old indeed. So old I thought it was completely fixed already.
With several IPs, do you have to do something special for Apache to understand how to answer on a specific IP, or do you just leave it as is and direct the DNS of each domain to one of those IPs?

As you mentioned, just direct via DNS to IP, Apache will do the rest, if you have set up correct SSL:

But i agree, what a pitty that SSL is still the same old nasty stuff.
Too many problems where not solved.