On Sun, May 16, 2010 at 3:18 PM, Eric Covener <covener@xxxxxxxxx> wrote: >> Listen 10.137.1.104:9901 >> <VirtualHost 10.137.1.104:9901> >> SSLEngine on >> SSLCertificateFile /etc/apache2/conf/www.aaa.at.crt >> SSLCertificateKeyFile /etc/apache2/conf/www.aaa.at.key >> Include conf/www.aaa.misc >> </VirtualHost> >> >> Listen 10.137.1.104:9902 >> <VirtualHost 10.137.1.104:9902> >> SSLEngine on >> SSLCertificateFile /etc/apache2/conf/www.aaa.de.crt >> SSLCertificateKeyFile /etc/apache2/conf/www.aaa.de.key >> Include conf/www.aaa.misc >> </VirtualHost> >> >> Listen 10.137.1.104:9903 >> NameVirtualHost 10.137.1.104:9903 >> <VirtualHost 10.137.1.104:9903> >> Include conf/www.aaa.misc >> </VirtualHost> > >> openssl s_client -connect 10.137.1.104:9902 > >> The certificate www.aaa.at was selected. > > Certainly looks bogus, fwd'ed to dev@ list > > Can you show in one terminal session the contents of the two certificates (openssl x509 -in ... -text | grep Subject:) and the console output of s_client that includes the subject? According to one of the active SNI folks, your openssl invocation shouldn't even be providing the SNI extension (by default). -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx