openssl -connect returns wrong certificate

Question

Here is my problem. I have multiple domains hosted on one apache webserver. (Virtual Hosts) Two of them (a.com and b.com) use ssl certificates. I configured both with these commands:

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/ABC.crt
    SSLCertificateKeyFile /etc/apache2/ssl/ABC.key
    SSLCertificateChainFile /etc/apache2/ssl/ABC.chain.crt
    SSLProtocol             all -SSLv2

When i try to connect via browser (chrome, Firefox, IE) it works fine and i get the right certificate. But on android i got an exception: No peer certificate

Then i tried to test it with this command:

    openssl s_client -connect b.com:443

It returns me the certificate of the a.com. Any suggestions what I've done wrong that i get the wrong certificate with openssl and android?

Answer 1

There are probably multiple hosts on the same IP address and you need to use Server Name Indication (SNI) to access this site. To you SNI with openssl s_client use the -servername option, e.g. openssl s_client -connect b.com:443 -servername a.com. As for android: according to https://developer.android.com/training/articles/security-ssl.html SNI is supported since 2.3 for HttpsURLConnection but not for Apache HTTP Client.