On Wed, Oct 28, 2009 at 11:59:44PM +0200, Iantcho Vassilev wrote:

> Here is the debug on the host when only one site listens to 443
>
> 2009/10/29 00:55:11 [debug] 9171#0: *195388 http check ssl handshake
> 2009/10/29 00:55:11 [debug] 9171#0: *195388 https ssl handshake: 0x16
> 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL_do_handshake: -1
> 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL_get_error: 2

SNI handshake looks like this:

2009/10/29 09:53:05 [debug] 73997#0: *1 http check ssl handshake
2009/10/29 09:53:05 [debug] 73997#0: *1 https ssl handshake: 0x16
2009/10/29 09:53:05 [debug] 73997#0: *1 SSL server name: "www.example.com"
2009/10/29 09:53:05 [debug] 73997#0: *1 SSL_do_handshake: -1
2009/10/29 09:53:05 [debug] 73997#0: *1 SSL_get_error: 2

> 2009/10/29 00:55:11 [debug] 9171#0: *195388 post event 0000000001DD95A0
> 2009/10/29 00:55:11 [debug] 9171#0: *195388 delete posted event
> 0000000001DD95A0
> 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL handshake handler: 0
> 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL_do_handshake: 1
> 2009/10/29 00:55:11 [debug] 9171#0: *195388 SSL: SSLv3, cipher:
> "DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1"

For some reason only SSLv3 has been negotiated.
Either server has no enabled TLSv1 in ssl_protocols, or browser.


--
Igor Sysoev
http://sysoev.ru/en/