I never thought that could be a problem. Well after digging around for HTTP+SSL (multiple certificates) and after understanding how it works, yes this is definitely a problem :-).
The idea behind SNI is that the clients domain name request is deferred until the certificate is exchanged between the the two parties . This gives the server the change to switch to the right named virtual host :-)…. yeah thats cooooool.
See here RFC3546 (Section 3.1) for an in deep description.
SNI works with (according wikipedia):
- Mozilla Firefox 2.0 or later
- Opera 8.0 or later (the TLS 1.1 protocol must be enabled)
- Internet Explorer 7 (Vista or higher, not XP) or later
- Google Chrome (Vista or higher. XP on Chrome 6 or newer. OS X 10.5.7 or higher on Chrome 5.0.342.1 or newer)
- Safari Safari 3.2.1 and newer on Mac OS X 10.5.6 and Windows Vista or higher, not XP
- Any Apple iDevice running iOS4 has support for TLS server name indication.
If you want to use SNI for your server you have to put your *.443 hosts configs into one file.
Listen 443 NameVirtualHost *:443 # Also accept connections from none SNI capable hosts SSLStrictSNIVHostCheck off # This is our default virtual host. DocumentRoot /www/blub1 ServerName www.blub1.at # Other directives here DocumentRoot /www/blub1 ServerName www.blub.at # Other directives here