If we setup 2 virtualhosts using the same certificate but using different path for the certificate Apache send 421 during browsing between both virtualhost. Certificate is for *.mydomain.com What is working: <VirtualHost *:443> ServerName test1.mydomain.com SSLEngine on SSLCertificateFile /home/test1.mydomain.com/ssl.cert SSLCertificateKeyFile /home/test1.mydomain.com/ssl.key SSLCACertificateFile /home/test1.mydomain.com/ssl.ca </VirtualHost> <VirtualHost *:443> ServerName test2.mydomain.com SSLEngine on SSLCertificateFile /home/test1.mydomain.com/ssl.cert SSLCertificateKeyFile /home/test1.mydomain.com/ssl.key SSLCACertificateFile /home/test1.mydomain.com/ssl.ca </VirtualHost> What is not working (leading 421 if navigate between both virtualhost): <VirtualHost *:443> ServerName test1.mydomain.com SSLEngine on SSLCertificateFile /home/test1.mydomain.com/ssl.cert SSLCertificateKeyFile /home/test1.mydomain.com/ssl.key SSLCACertificateFile /home/test1.mydomain.com/ssl.ca </VirtualHost> <VirtualHost *:443> ServerName test2.mydomain.com SSLEngine on SSLCertificateFile /home/test2.mydomain.com/ssl.cert SSLCertificateKeyFile /home/test2.mydomain.com/ssl.key SSLCACertificateFile /home/test2.mydomain.com/ssl.ca </VirtualHost>
Are there any plans for this? This would help us as well.
Also got hit by this. The most likely culprit is ssl_pk_server_compatible() in modules/ssl/ssl_engine_kernel.c - it checks for compatibility between vhosts by comparing certificate file name instead of certificate itself. That leads to a situation where browser correctly decides (based on information available to it, namely subject alternative names) that it can reuse existing connection, but Apache disagrees and returns error 421. (Some browsers try again as allowed by rfc7540 9.1.2, but some don't and show the error to the user.)
Comment 2 looks right. It should be possible to enhance mod_ssl to do that, but it would be complicated, you'd have to iterate through the configured certs for the second context and compare with the currently used cert. And this is a critical path which has numerous security issues in the past. So, nobody is planning to touch it, and it's pretty trivial to adjust your configurations to avoid the issue in the first place.
The issue is more, that you need to know that that configuration will create an issue. As most browsers like Firefox and chrome work on the surface (you see the 421 in network tab) the website won't work at all with error-prone browsers like safari. Another solution would be to see this as an invalid configuration and fail on configcheck here.