I've wondered many times over the years why I couldn't have multiple SSL name-based virtual hosts with Apache. I've become confused more than once about whether the preceding sentence is true, but I now believe it is. The relevant sentence in the documentation is "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." I'm not sure how it could be more uninformative…
Red Hat's documentation gives a bit more of a clue about what is going on, saying "Note: You can not use name based virtual hosts with SSL, because the SSL handshake (when the browser accepts the secure Web server's certificate) occurs before the HTTP request which identifies the appropriate name based virtual host. If you want to use name-based virtual hosts, they will only work with your non-secure Web server." I thought about that for a minute when I finally found it tonight—it seemed to me that all that was really needed was to accept that each IP address could have only a single PKI certificate. (Actually, given the information transmitted by TLS, even that requirement might be loosened; I'd have to glance at the protocol to be sure one way or the other.) Once a secure connection was established, name-based vhosting could still be used to select between port 443 vhosts on the site. Sure, this would have security issues; for what I was trying to do, though, it would be fine.
It looks like the Apache folks are not going to be helpful here.
At this point, I ran across the commercial LiteSpeed HTTP server. This server's SSL support documentation seems to confirm my analysis: "Since a SSL certificate is bundled with a listener, if a virtual host requires a dedicated certificate, a dedicated SSL listener must be created for that virtual host. In other words, that virtual host must be an IP based virtual host." A "listener" in LiteSpeed parlance is separate from a vhost. Essentially, this confirms my analysis.
OK, now what?
I checked out the alternate HTTP server flavor of the week, lighttpd. It's reportedly much faster than Apache 2 at serving Rails content, which is what I currently care about. However, I didn't think lighttpd had SSL support. I was wrong. However, it's not clear for this server how name-based virtual hosts and SSL interact. It looks OK, but I can't tell—I guess I have to try it.
I can't believe all this is so hard, nor that it cost me another night's sleep. (B)