Windows Vista Wrong Certificate With SNI

Question

I'm setting up SNI on an apache server and I thought things were going well. I have two URLs from different domains that point at the same site. I have one virtual host setup for each with the appropriate certificate for each. One of the certificates is valid but the other is self-signed (waiting on GoDaddy for the real cert).

If I test the different URLs in Firefox, Safari and Opera all works well. I get no errors for the URL with the valid certificate and I get a self-signed warning for the other. However, in Internet Explorer 8 and Google Chrome, both URLs return the valid certificate (even if its not valid for the specific site). So for the one site, I get a valid certificate. For the other, I get a warning about the cert being for a different site. I tried switching the order of the vhosts and it made no difference. I know that Chrome and IE both use Window's HTTP stack so I understand why the behavior is the same for the two. What I don't understand is why I'm seeing this behavior.

Just a quick sanity check: does https://alice.sni.velox.ch/ work for you with Chrome/IE? — earl, Jul 22 '10 at 01:34
I don't get any certificate warnings, but I do get "Unfortunately, your client [Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4] did not send a TLS server name indication extension (RFC 4366) in its ClientHello (negotiated protocol: SSLv3), so you're probably getting warnings about certificate name mismatches." in both browsers (user agent strings are obviously different). — JamesArmes, Jul 22 '10 at 10:23
I read though this page a little more and realized that I hand't performed an adequate test. Going to https://bob.sni.velox.ch in IE and Chrome does indeed produce a certificate error. — JamesArmes, Jul 22 '10 at 12:03

score 1 · Answer 1 · answered Aug 21 '10 at 22:51

odd setup? https://alic.sni.velox.ch/ works for my FF3, Chrome5 and IE8 browsers on windows7 x86 64bit

but on my apache 2.2.13 with gnutls, FF3 and Chrome5 work but... IE8 is getting the first virtual host cert not the second, third etc etc. so IE8 does not seem to support SNI for apache 2.2.13 and gnutls

score 1 · Answer 2 · edited Apr 13 '17 at 12:14

1

Answer part 1 here: The problem is SNI. Your browser does not send the hostname, so Apache just serves the first certificate it loaded..

Answer part 2 here: While IE7 & IE8 on Windows Vista and higher support SNI, the same browsers on XP do not.

edited Apr 13 '17 at 12:14

Community

1

answered Sep 03 '11 at 08:28

Andreas

11
1

Windows Vista Wrong Certificate With SNI

2 Answers2

Linked