IE8 on Windows XP does not support SNI

, 64px-Internet_Explorer_7_Logoor “you desktop IT people have broken something”.

Just before Windows XP gets to take a well earned retirement on “the farm”, it popped it’s ugly head up this week with an end user complaining we did something to break their new website

On purpose no less.

It seems IE8/Windows XP was receiving the wrong HTTPS certificate.

Upon investigation, I realised that the issue was that IE8 on WinXP does not support SNI.

Server Name Indication allows a web browser to tell a web host what site it is connecting to.  (A web host can host multiple web sites …).  The reason why a browser needs to tell the web host it connects to, is so the web browser gets the right HTTPS certificate.

If the browser does not support SNI then the browser will get the default web host certificate.  Which may cause certificate errors to be displayed in the browser.

To prove that it was a lack of SNI support causing the issue, I used the excellent Qualys SSL Labs SSL Server Test tool.

I suggested to the customer that they use an alternate web browser, until they can replace Windows XP.

Internet Explorer Compatibility Mode

“When people inside the building visit our web site, IE Compatibility mode is being forced on.  People on the internet don’t get compatibility mode.  Please fix.”

Internet Compatibility mode was created by Microsoft, for corporate customers.  It was first introduced with Internet Explorer 8.  Corporate customers predominately had websites coded for Internet Explorer 6.  Websites in the “Intranet” Security Zone get Compatibility Mode.

The solution to the customer query is to configure their webpage to specify what compatibility mode it is compatible with.  Microsoft have some guidance on this:
Defining document compatibility
Attaining IE8 Site Compatibility – Short Reference
Understanding Compatibility Modes in Internet Explorer 8
Specifying legacy document modes

If you visit a website with Internet Explorer, and press the F12 key, you’ll launch the Developer Tools screen.
IE Compatibility Mode

The webpage shown in the Developer Tools screenshot above is running in IE8 Standards mode.  The IE8 Standards mode has been forced by the X-UA-Compatible meta tag.

 

Some other things to be aware of.

Document Mode vs. Browser Mode
Document Mode.
Influences how the page displays in the browser,
The web server can force the document mode to what it wants.  In the example above, “IE8 Standards” mode has been forced by the X-UA-Compatible tag.
So, in essence, the Document Mode setting is “owned” by the web server.

Browser Mode
Browser Mode is simply put, is Internet Explorer telling the web server what it can display. 
In a corporate environment, placing a site into the Intranet Zone forces IE Compatibility Mode on.

Document Mode will in all (most?) cases override Browser Mode.
And this makes sense when you think about it.  The web server, and the webpage author, should know what their webpage page is designed for.

Gotta’s I’ve seen / heard of:

  • Placing the X-UA-Compatible meta tag in the HEAD section AFTER any scripts or CSS, DOES NOT WORK
  • The X-UA-Compatible meta tag MUST be in the HEAD section before all other elements except for the title element and other meta elements.
  • Having multiple X-UA-Compatible meta tags in the one page DOES NOT WORK.

Intranet site is identified as an Internet site when you use an FQDN or an IP address
When you access a local area network (LAN), an intranet share, or an intranet Web site by using an Internet Protocol (IP) address or a fully qualified domain name (FQDN), the share or Web site may be identified as in the Internet zone instead of in the Local intranet zone. For example, this behavior may occur if you access shares or Web sites with Microsoft Internet Explorer or Windows Internet Explorer, with Microsoft Windows Explorer, with a command prompt, or with a Windows-based program when you use an address in any one of the following formats:
  • \\Computer.childdomain.domain.com\Share
  • 
http://computer.childdomain.domain.com
  •  \\157.54.100.101\share
  •  file://157.54.100.101/share
  •  http://157.54.100.101

Semi-regular web-link clearance (3) – January 2010

How to Install GPMC on Server 2008, 2008 R2, and Windows 7 (via RSAT)

Can You See Me – Open Port Check Tool

Is a free utility for remotely verifying a port is open or closed. It will be useful for users who wish to check to see if a server is running or a firewall or ISP is blocking certain ports.

Setting up a Windows 7 Media Center

Windows XP Power Management and Group Policy Preferences

Windows XP only has one active power scheme for the entire computer and that scheme is based on the current or previously logged on user—that is to say Windows XP power schemes are only user-based. This means the power scheme can change as each user logs on. Also, it means that last logged on user’s power settings are the settings that remain once the user logs off. And yes, each user has its own power configuration; however, the entire operating system only has one active power scheme.

PHP and IE8 Web Slices

Internet Explorer 8 (IE8) shipped with a new feature for web users called Web Slices. … Essentially it lets you add enhanced links to your favorite bar that allow you to preview snippets of content from websites that you frequently visit without having to open up the page. It’s really useful to do little tasks like check on your web based Inbox, check the weather in cities you live or visit, traffic status, stock tickers, headlines, sports, the list goes on and on and you can check the IE add-on gallery for more examples of useful web slices and for inspiration.

How to customize default user profiles in Windows 7 (KB973289)

To customize a default user profile or a mandatory user profile, you must first customize the default user profile. Then, the default user profile can be copied to the appropriate shared folder to make that user profile either the default user profile or a mandatory user profile.

Bookmark and Share