I know there are tons of posts about multiple SSL on same IP, but I promise I'm not beating a dead horse. My question is very clear. First, a little background...
Our organization has several ecommerce sites. All of these sites are running on the same IP, using SNI for name based virtual hosts. In most cases, this is working great. However, in some browsers (ie7 / ie8, but only on select machines for some reason), we got reports that users were seeing a domain mismatch with the SSL certificate. It turned out that they were seeing the SSL certificate for the first SSL host in alphabetic order, since Apache resolves the IP address first, THEN grabs what it thinks is the right virtual host file.
I did some experimenting with the SSL protocol and found that if I set it thusly (ssl.conf):
SSLProtocol TLSv1
Then I'd simply get a not found for any of the https domains in IE.
If I set SSLStrictSNIVHostCheck on in ports.conf
SSLStrictSNIVHostCheck on
Then I'd get a permission denied in the problematic browsers.
The problem is obviously that IE is not supporting, or not using, the TLSv1 protocol, or SNI, both of which are needed. So my question is...
Is there a configuration change I can make to support IE, perhaps under a different protocol, or is my only option using a separate IP for each virtual host which requires SSL?
Thanks in advance = )
SNI support is still, unfortunately, rather lacking. You don't specify, but I'd wager that your problematic IE browsers are on Windows XP machines, yes? There is no SNI support in any version of IE on Windows XP (or earlier); only Vista and later support it, and only in IE 7 and later.
See here for a list of browsers supporting SNI.
My advice: If you need to support clients that lack SNI support (and with the number of XP systems still out there, you quite likely do need to), then you'll have to implement solutions that do not depend on SNI.
If you want to reach a broad audience, then do not use SNI. It is not supported widely enough and you should avoid it for at least a couple of years from now.
You should have a look at UCC/SAN certificates instead. It's usually more pricey, but it's the right thing to do in this situation. Or you could have allocated an IP address for each site.
http://www.geotrust.com/ssl/ssl-certificates-san-uc/ gives a little more info on this type of certificate.
Today about 10% of the internet users lack support for Server Name Indication. At GlobalSign we recently created a solution to support users that have no support for Server Name Indication (SNI) by using two SSL Certificates (one is for the IP address and is free). You can read more about the problem and the solution we created to safely host multiple SSL Certificates on a single IP address in a blog article that we published today.
https://www.globalsign.com/blog/saving-ipv4-resources.html