Apache SNI namevhosts always route to first VirtualHost entry

Apache seems to route all https requests to the first <VirtualHost *:443> regardless of SNI matching on ServerName/ServerAlias fields.

Apache is built with SNI
Server version: Apache/2.2.22 (Ubuntu)
Server built: Mar 8 2013 15:53:13
OpenSSL 1.0.1 14 Mar 2012

error.log reports:

Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

Which suggests SNI is working as per http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI (How can you tell if your Apache build supports SNI?)

SSL_TLS_SNI seems to be set appropriately when requested using HTTPS (verified with phpinfo())

Configuration:

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443
</IfModule>

#<VirtualHost *:443>
#       <Location />
#               Order allow,deny
#               Deny from all
#       </Location>
#</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        ServerAdmin webmaster@localhost
        ServerName server.com
        ServerAlias server.com
        DocumentRoot /web/default
        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /path/server.com.crt
        SSLCertificateKeyFile /path/server.com.key
</VirtualHost>
<VirtualHost *:443>
        SSLEngine on
        ServerAdmin webmaster@localhost
        ServerName alias.com
        ServerAlias alias.com
        DocumentRoot /web/default
        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /path/alias.com.crt
        SSLCertificateKeyFile /path/alias.com.key
</VirtualHost>

Both https://server.com and https://alias.com try to serve the certificate (and content if you disregard the cert warning) from server.com

Similar configuration works fine using HTTP:80 (only change is SSLEngine on and the certificate/key paths)

If I uncomment the first virtual host (restricting HTTPS access to sites that are defined) then I always get a SSL error (even if it is a defined site)

Thanks

EDIT:
Additional flags

SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLStrictSNIVHostCheck on
SSLVerifyClient none
SSLProxyEngine off

SSLStrictSNIVHostCheck on so it should only support SNI enabled browsers anyway

apache2ctl -S output:

*:443                  is a NameVirtualHost
         default server server.com (/etc/apache2/sites-enabled/000-default:22)
         port 443 namevhost server.com (/etc/apache2/sites-enabled/000-default:22)
         port 443 namevhost alias.com (/etc/apache2/sites-enabled/000-default:39)
         port 443 namevhost other.com (/etc/apache2/sites-enabled/other:22)

Update

So for some strange reason, the problem seems to have resolved itself.
Perhaps it's some sort of strange caching issue or something (though I have apache2ctl stop/start/restart and sudo service apache2 stop/start/restart/reloaded many times and have performed tests locally on the server as well as using several different machines).

Feel free to take this question down or leave it up if it serves as any sort of reference.
Thanks for all the help guys!


Your configuration looks OK; The directive SSLEngine On has been included; According to the log message, it looks like the issue comes from the client side.

Not all clients support SNI, however most of them do. It depends on how the SSL negociation is made, by the system (does not work on Win XP then) or by the browser (the version must be recent enough). Look at list of browsers with support of SNI. If you must ensure all clients get access to your websites, you can't use SNI because of these old versions (of the browser or of the system). You would need an IP per ServerName and use VirtualHost $IP_alias:443 for ServerName alias.com and VirtualHost $IP_server:443 for ServerName server.com instead of VirtualHost *:443 for both.