IE on XP does not support SNI to permit multiple certificates for single server

Rob Wassell picture Rob Wassell · Aug 28, 2013 · Viewed 9.3k times · Source

I've been searching for a few hours to find a solution to my question/problem and whilst I believe that I have been able to clarify the reason why I have problems I have been unable to find a resolution.

I have one server which is hosting multiple web sites and a couple of these web sites are using SSL certificates. I have some shared images accessed by all sites and the way to stop the none-secure error on the SSL site was to serve those shared images from https://www.example-shared-image-server.com/images/imagename.jpg

This worked fine, until that is I noticed that by using Internet Explorer on Windows XP it is giving the message "There is a problem with this website's security certificate". What I then identified is that its because its picking up a certificate for a different domain on the server. Its all to do with hosting multiple sites on one server with SSL certificates.

Lets say I have four sites with only the first two with SSL certificates installed.

https://www.one.com
https://www.two.com
http://www.three.com
http://www.four.com

And lets not forget the following:

https://www.example-shared-image-server.com

So when accessing images from the above shared image URL it is actually bringing up https://www.one.com, hence the error.

So its seems to be something to do with IE not supporting SNI or SSL/TLS on Windows XP or Vista whereas it is on Win 7 and Win 8. This seems like an immediate ploy by M$ to force people to upgrade to more current operating systems. But the fact is that all other browsers support it.

But, what I have not been able to identify is what I can do about it. So I believe my question is, is it possible to host multiple web sites using SSL on the same server on different domains without causing IE to show errors. If not, what do other people do? And it yes, how do I configure it?

I have been on this for hours so if someone could help, I would really appreciate it.

Many thanks,

Rob

Answer

EricLaw picture EricLaw · Aug 28, 2013

Windows XP's version of SChannel does not support SNI, which means that IE and other WinINET/WinHTTP-based applications do not support SNI on that platform.

http://blogs.msdn.com/b/ieinternals/archive/2009/12/07/certificate-name-mismatch-warnings-and-server-name-indication.aspx

SNI support was introduced in Windows Vista; if you're not seeing it work on that platform, it's likely that IE was reconfigured away from the defaults to enable SSL2. SSLv2-compatible handshakes do not carry TLS extensions like the SNI extension.

The only real workarounds here are to either:

  1. Host each server on a different IP or port (so the server can select the certificate based on that information)
  2. Use a certificate that contains multiple hostnames using the SubjectAltName field of the certificate