Tuesday, June 27, 2017

apache 2.2 - Problems with multiple SSL on same IP, but only in select clients



I know there are tons of posts about multiple SSL on same IP, but I promise I'm not beating a dead horse. My question is very clear. First, a little background...



Our organization has several ecommerce sites. All of these sites are running on the same IP, using SNI for name based virtual hosts. In most cases, this is working great. However, in some browsers (ie7 / ie8, but only on select machines for some reason), we got reports that users were seeing a domain mismatch with the SSL certificate. It turned out that they were seeing the SSL certificate for the first SSL host in alphabetic order, since Apache resolves the IP address first, THEN grabs what it thinks is the right virtual host file.



I did some experimenting with the SSL protocol and found that if I set it thusly (ssl.conf):




SSLProtocol TLSv1



Then I'd simply get a not found for any of the https domains in IE.



If I set SSLStrictSNIVHostCheck on in ports.conf



SSLStrictSNIVHostCheck on



Then I'd get a permission denied in the problematic browsers.




The problem is obviously that IE is not supporting, or not using, the TLSv1 protocol, or SNI, both of which are needed. So my question is...



Is there a configuration change I can make to support IE, perhaps under a different protocol, or is my only option using a separate IP for each virtual host which requires SSL?



Thanks in advance = )


Answer



SNI support is still, unfortunately, rather lacking. You don't specify, but I'd wager that your problematic IE browsers are on Windows XP machines, yes? There is no SNI support in any version of IE on Windows XP (or earlier); only Vista and later support it, and only in IE 7 and later.



See here for a list of browsers supporting SNI.




My advice: If you need to support clients that lack SNI support (and with the number of XP systems still out there, you quite likely do need to), then you'll have to implement solutions that do not depend on SNI.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...