Hi! > As far as I understand it, the whole HTTP traffic is encrypted by SSL. > This includes the Host header which Apache would use for determining > the correct vHost. SNI is a workaround to send the host name > unencrypted. Or that's how I understand it. But I'm no expert on this > stuff. I just want to make sure we don't make our sites less > accessible to any potential users, especially those in corporations > where IE+WinXP is a common use. > > If I'm correct with how I understand it, we're using SNI currently > (because we use a single IP) so could anyone try accessing our sites > via HTTPS from a XP based IE? I've read the Wikipedia article about it now, and I guess, that SNI is not used when using SANs, because... SNI comes into effect, when a virtual host has certificate A and another virtual host has certificate B. So Apache cannot guess which certificate to choose and to present to the browser. (That would be in a shared hosting with different customers, that need distinct certificates) In our scenario we simply use one certificate that is configured for every virtual host, so the certificate, that is sent to the browser is always the same but using the SANs the browser sees, that the requested hostname is a valid hostname within the certificate. At least, that's what I understand. Can somebody do what Andi asked and validate this? Kind regards Dennis