SSL certificates for multiple virtual hosts: problem on IE for Windows XP
Using a single server for multiple virtual hosts is something that comes naturally nowadays for any web server sysadmin.
Using SSL certificates is also common (particularly so since the infamous Blacksheep extension for Firefox as published a few years back).
However, the mixing of SSL and virtual hosts might not be as easy as you might think. At least for some of your users…
Some browsers in some old (but better than more recent, some might say) proprietary operating systems are resisting the trend.
Erick, on our team, investigated a strange side effect of enabling a second SSL certificate on one of our multiple-virtual-hosts servers recently. It so happens that, when enabling the second certificate, Internet Explorer on Windows XP starts shouting that the site is not safe, with a huge warning similar to the one you get with self-signed certificates (the screenshot is in Spanish here, sorry, but you get the idea).
You can read more about the problem with having several SSL certificates on a single server, and the solution thereof on the Apache Foundation’s wiki, but to be short, a fix has been developed under the name of SNI, as an extension to SSL. Most browsers support that extension but, quite unsurprisingly, Internet Explorer on Windows XP doesn’t.
So, if you have any Internet Explorer user under XP, well, let’s say that you will probably have to deploy a lot of efforts to give them security on your website.
From the top of my mind, you could use a special redirect just for this case (based on the User Agent, I suppose) so that these users can use your site without SSL, or to give them a first page of warning before you send them to the site, that will alert them that it is supposedly not secure, and where you could tell them how to accept the certificate (because honestly, without reading the page in detail, they will just freak out).
Of course, yet another solution is to make sure that all sites that use SSL are on different servers, but that’s probably just not an option.
But seriously… Internet Explorer, SERIOUSLY ???