Apache SNI namevhosts always route to first VirtualHost entry

Apache seems to route all https requests to the first <VirtualHost *:443> regardless of SNI matching on ServerName/ServerAlias fields.

Apache is built with SNI
Server version: Apache/2.2.22 (Ubuntu)
Server built: Mar 8 2013 15:53:13
OpenSSL 1.0.1 14 Mar 2012

error.log reports:

Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)

Which suggests SNI is working as per http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI (How can you tell if your Apache build supports SNI?)

SSL_TLS_SNI seems to be set appropriately when requested using HTTPS (verified with phpinfo())

Configuration:

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443
</IfModule>

#<VirtualHost *:443>
#       <Location />
#               Order allow,deny
#               Deny from all
#       </Location>
#</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        ServerAdmin webmaster@localhost
        ServerName server.com
        ServerAlias server.com
        DocumentRoot /web/default
        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /path/server.com.crt
        SSLCertificateKeyFile /path/server.com.key
</VirtualHost>
<VirtualHost *:443>
        SSLEngine on
        ServerAdmin webmaster@localhost
        ServerName alias.com
        ServerAlias alias.com
        DocumentRoot /web/default
        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /path/alias.com.crt
        SSLCertificateKeyFile /path/alias.com.key
</VirtualHost>

Both https://server.com and https://alias.com try to serve the certificate (and content if you disregard the cert warning) from server.com

Similar configuration works fine using HTTP:80 (only change is SSLEngine on and the certificate/key paths)

If I uncomment the first virtual host (restricting HTTPS access to sites that are defined) then I always get a SSL error (even if it is a defined site)

Thanks

EDIT:
Additional flags

SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLStrictSNIVHostCheck on
SSLVerifyClient none
SSLProxyEngine off

SSLStrictSNIVHostCheck on so it should only support SNI enabled browsers anyway

apache2ctl -S output:

*:443                  is a NameVirtualHost
         default server server.com (/etc/apache2/sites-enabled/000-default:22)
         port 443 namevhost server.com (/etc/apache2/sites-enabled/000-default:22)
         port 443 namevhost alias.com (/etc/apache2/sites-enabled/000-default:39)
         port 443 namevhost other.com (/etc/apache2/sites-enabled/other:22)

I am pretty sure my browser is correctly sending SNI since I can see it from in the SSL_TLS_SNI variable on the server. I have tried on all of the latest versions of Chrome, Firefox and IE10 and none work. Things look ok when I check my browser SNI support on sni.velox.ch

Yes, I expect that error on the first host. The only behavior I want on that is just to disable the default site (the only HTTPS sites that can be accessed are explicitly defined by virtualhosts). In any case, even with it commented, things don't seem to be working. I have verified the certs are different (displaying using openssl x509 -in cert.crt -text -noout) though using openssl s_client -showcerts -connect alias.com:443 seems to give me the server.com certificate. I also have SSLStrictSNIVHostCheck on so it should restrict to browsers supporting SNI. See edit for site config

Also, if I comment out the server.com virtualhost, then it passes up the correct certificate for alias.com since it's now the first vhost and set to default

it seems I have the same issue. Still not resolved. Waiting already for >12 hours. server.com and server.com works but problems with alias.com (although alias.com already works) ??? @arcqwerty how long did it take, till the problem had resolved on it's own?

Looking back at the time between Q+A, I'd say about 10 hours?

I left my server in this bad state, then came back 5 days after, and all is working fine. apache server was restarted, though (root process is still the original one, but httpd forks were reset).

Maybe this has something to do with browser cache or re-using open connections.

It seems that restarting does not effect changed SSL settings -- you have to stop apache and then start apache again.