- two (or more) subdomains (same domain)
- …share a common wildcard ssl certificate
- on the same host (same IPv4-address)
- but with different IPv6-addresses
- client: Firefox (only Firefox has this behavior)
- use HTTP/2
- use IPv6
- foo.example.com in location bar shows foo.example.com
- bar.example.com in location bar shows bar.example.com
Requests for the second host (bar) go to the first host (foo).
With HTTP/2 Firefox shares connections to webservers (“pooling”) to speed up page loading by omitting handshake and tcp slow start. Firefox determines which connections can be pooled together not by looking at the hostname, but by looking at the IPv4-address and the certificate. If the IPv4 address of the second host (bar) matches the IPv4-address of the first host (foo) AND the certificate used for foo also matches bar then the connection to foo is reused for bar.
The webserver may not be configured to show the contents of bar when someone connects to the IPv6-Adress of foo. Webserver administrators who were happy about the fact that with IPv6 there’s no need for SNI and name based virtual hosting anymore (like me) may have configured their webservers in the false assumption that if an IPv6 address is published for hostname foo incoming connections to that host will go to that IP address.
The behavior of Firefox is highly unexpected – or simply wrong.
There are many obvious workarounds, but all of them have disadvantages.
- use different certificates (cheap nowadays) or
- use the same IPv6 address (use name based virtual hosting and SNI even when using IPv6) or
- use http status code 421 to answer “misguided” requests