SNI vhost selection fails intermittently

[Daniel Kahn Gillmor]

jomat reports some problems with the server at web0.jmt.gr. it has a single IPv4 address, with several name-based vhosts. the default vhost is www.jmt.gr. other distinct vhosts include 0.jmt.gr and l.jmt.gr. They use SNI to distinguish them.

Using mod_gnutls 0.5.10+lots of git revisions (close to what i'm hoping will be the 0.6 release), against gnutls 3.2.4-4 and apache 2.4.6-3, when the server starts up, everything is fine.

then, after a little while, sometimes selection via SNI starts to fail, and the default certificate is presented instead.

We haven't been able to track down what causes it yet.

It happens regardless of whether one is using openssl s_client or refreshing a web page.

we probably need a test for this.

[Daniel Kahn Gillmor]

jomat adds:

17:50 < jomat> I have never seen the problem on other vhosts than pad.jmt.gr and tagr.jmt.gr
17:50 < jomat> and these are the only two vhosts using mod_proxy
17:51 < jomat> and the problem appeared with a configuration change
17:51 < jomat> Well, a forced config change
17:51 < jomat> let me elaborate
17:52 < jomat> i use apache+mod_gnutls+mod_proxy as a tls-termination for the unencrypted services behind the proxy
17:53 < jomat> So I used to use "ProxyPass / http://172.22.173.237:9001/"
17:53 < jomat> But that didn't work anymore since I updated to the git version
17:53 < jomat> now I have to use "ProxyPass / https://172.22.173.237:9001/"
17:54 < jomat> although 172.22.173.237:9001 is plaintext
17:56 <@dkg> wait, when you say "the git version" you mean of mod_gnutls?
17:56 < jomat> yeah
17:58 <@dkg> but things were working before with the stock version in debian?
17:59 <@dkg> how did you settle on needing https:// in ProxyPass?
18:01 < jomat> The Debian version worked... I'll reproduce the log message