The problem is that in order to know from which virtual host to serve content a
webserver must inspect the "host" header. This is part of the http
request. However the SSL handshake takes place before any http request
is initiated. In order to complete the handshake the webserver needs
to know which SSL certificate to use. Since the websever can't yet
know which virtual host content is being requested from it uses the
certificate of the first host. It's really a limit of the protocol, not the server.
However the latest version of the HTTPS protocol includes SNI, which
permits a client to transmit to the host the name of the virtualhost
it wants to contact during the SSL handshake. So what you need to do
is make sure you have the very latest apache, compiled with the latest
openssl libraries, and use a recent webbrowser.
webserver must inspect the "host" header. This is part of the http
request. However the SSL handshake takes place before any http request
is initiated. In order to complete the handshake the webserver needs
to know which SSL certificate to use. Since the websever can't yet
know which virtual host content is being requested from it uses the
certificate of the first host. It's really a limit of the protocol, not the server.
However the latest version of the HTTPS protocol includes SNI, which
permits a client to transmit to the host the name of the virtualhost
it wants to contact during the SSL handshake. So what you need to do
is make sure you have the very latest apache, compiled with the latest
openssl libraries, and use a recent webbrowser.
