There exists a site www.name1.domain.com that we effectively produced and implemented an SSL cert. Then we added another site, www.name2.domain.com, and therefore are seeing some strange behavior in IE7 and IE8 (surprise!).

Essentially, IE7,8 reviews a mismatch of host title whenever we visit https://www.name2.domain.com/ . After I add and examine this cert in IE with this domain, the host title is incorrect, but goes towards the older host title, i.e., www.name1.domain.com.

Opera does not have this problem, and accumulates correct host title www.name2.domain.com for that second site without problem.

Any ideas why IE is misbehavin (apart for that sassy ones (-: ) ?

Thanks!

KM

Your condition is the fact that Ie on Home windows XP (and most likely other software too) isn't SNI capable.

I have just went in to the same issue - essentially Opera and Chrome are ok and obtain the right certificate, but Ie doesn't. Then I have looked up a little and saw this on Wikipedia, amongst other things:

Browsers with support for TLS server title indication [7] Internet Explorer 7 or later, on Home windows Vista or greater. Doesn't work on Home windows XP, even Ie 8.

So, your apache/openSSL combo is SNI capable and may do that, but Home windows XP isn't.

My option would be that I am putting the main subdomain first within the VirtualHost configuration, and also the secondary less. A minimum of there's less explanation to clients on why this appears. I'm not sure whether it would meet your needs though.

Opera supports running SSL within the same port,443 (utilizing the same IP) to 2 virtual hosts (in Apache), but IE7 doesn't.

http://www.eggheadcafe.com/software/aspnet/36069240/sni-support.aspx

====

http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2

Why do difficult to make use of Title-Based Virtual Hosting to recognize different SSL virtual hosts? Title-Based Virtual Hosting is an extremely popular approach to determining different virtual hosts. It enables you to employ exactly the same Ip and also the same port number for a lot of different sites. When individuals move onto SSL, it appears natural to visualize the same method may be used to have many different SSL virtual hosts on a single server.

It comes down as rather a surprise to understand that it's impossible.

This is because the SSL protocol is really a separate layer which encapsulates the HTTP protocol. Therefore the SSL session is really a separate transaction, that happens prior to the HTTP session has started. The server receives an SSL request on Ip X and port Y (usually 443). Because the SSL request doesn't contain any Host: area, the server doesn't have method to choose which SSL virtual host to make use of. Usually, it'll only use the first it finds, which fits the main harbour and Ip specified.

You are able to, obviously, use Title-Based Virtual Hosting to recognize many non-SSL virtual hosts (all on port 80, for instance) after which possess a single SSL virtual host (on port 443). But when you need to do this, you have to make certain to place the non-SSL port number around the NameVirtualHost directive, e.g.

NameVirtualHost 192.168.1.1:80 Other workaround solutions include:

Using separate IP addresses for various SSL hosts. Using different port amounts for various SSL hosts.