SSL certificates for multiple virtual hosts: problem on IE for Windows XP

Using a single server for multiple virtual hosts is something that comes naturally nowadays for any web server sysadmin.

Using SSL certificates is also common (particularly so since the infamous Blacksheep extension for Firefox as published a few years back).

However, the mixing of SSL and virtual hosts might not be as easy as you might think. At least for some of your users…

Some browsers in some old (but better than more recent, some might say) proprietary operating systems are resisting the trend.

Erick, on our team, investigated a strange side effect of enabling a second SSL certificate on one of our multiple-virtual-hosts servers recently. It so happens that, when enabling the second certificate, Internet Explorer on Windows XP starts shouting that the site is not safe, with a huge warning similar to the one you get with self-signed certificates (the screenshot is in Spanish here, sorry, but you get the idea).

SSL warning in IE under XP
SSL warning in IE under XP

You can read more about the problem with having several SSL certificates on a single server, and the solution thereof on the Apache Foundation’s wiki, but to be short, a fix has been developed under the name of SNI, as an extension to SSL. Most browsers support that extension but, quite unsurprisingly, Internet Explorer on Windows XP doesn’t.

Browsers support for SNI
Browsers support for SNI

So, if you have any Internet Explorer user under XP, well, let’s say that you will probably have to deploy a lot of efforts to give them security on your website.

From the top of my mind, you could use a special redirect just for this case (based on the User Agent, I suppose) so that these users can use your site without SSL, or to give them a first page of warning before you send them to the site, that will alert them that it is supposedly not secure, and where you could tell them how to accept the certificate (because honestly, without reading the page in detail, they will just freak out).

Of course, yet another solution is to make sure that all sites that use SSL are on different servers, but that’s probably just not an option.

But seriously… Internet Explorer, SERIOUSLY ???

Related Posts

Easily avoid using your password in an SSH connexion: ssh-copy-id

On Linux systems, there used to be a mildly complicated but tedious way...

Ref: Minimum RSA public key lengths

Just a reference to an interesting article on SSL and guidelines for the...


  • The problem is quite old.

    Only one SSL certificate per IP (not per Server; my Servers have multiple ip’s).

  • Yannick Warnier
    14 September, 2013 at 11:04 pm  - 

    Quite old indeed. So old I thought it was completely fixed already.
    With several IPs, do you have to do something special for Apache to understand how to answer on a specific IP, or do you just leave it as is and direct the DNS of each domain to one of those IPs?

  • As you mentioned, just direct via DNS to IP, Apache will do the rest, if you have set up correct SSL:

    But i agree, what a pitty that SSL is still the same old nasty stuff.
    Too many problems where not solved.

Comments are closed.