Problems with IE/wget confusing a subdomain's SSL cert with the main domain's cert

Question

I'm running a website where the checkout flow is SSL certified using a Comodo EV certificate.

We also have Piwik web analytics tracking across the site, which is served off a stats subdomain. To prevent mixed domain errors, the Piwik is accessible via HTTPS as well as HTTP - for HTTPS, our Piwik subdomain is certified using a (much cheaper) Comodo PositiveSSL certificate.

Here's the weird part - when an HTTPS page on the main site is accessed through wget and some versions of Internet Explorer, the stats.psychicbazaar.com certificate seems to somehow get loaded by mistake, leading to "Mismatched Address" warnings in IE, and in wget:

ERROR: certificate common name `stats.psychicbazaar.com' doesn't match requested host name `www.psychicbazaar.com'.

This problem does not occur with curl, Chrome or Firefox. For example, with curl:

$ curl -Iv https://www.psychicbazaar.com/shop/checkout

* <snip>
* Connected to www.psychicbazaar.com (178.79.183.162) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: serialNumber=07440589; 1.3.6.1.4.1.311.60.2.1.3=GB; 1.3.6.1.4.1.311.60.2.1.
2=Greater London; businessCategory=Private Organization; C=GB; postalCode=EC24 4RQ; ST=Greater 
London; L=London; street=The Roma Building 32-38; O=Psychic Bazaar Ltd; OU=COMODO EV 
*    start date: 2012-02-16 00:00:00 GMT
*    expire date: 2013-02-15 23:59:59 GMT
*    subjectAltName: www.psychicbazaar.com matched
*    issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO Extended Validation Secure Server CA
*    SSL certificate verify ok.
> HEAD /shop/checkout HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: www.psychicbazaar.com
> Accept: */*
> 
< <snip>

What could be going on here - why would a browser be reading and erroring on a subdomain's SSL certificate when it's loading a page on the main domain? Any help much appreciated!

Answer 1

# dig stats.psychicbazaar.com
[...]
;; ANSWER SECTION:
stats.psychicbazaar.com. 3600   IN      A       178.79.183.162
[...]
# dig www.psychicbazaar.com
[...]
;; ANSWER SECTION:
www.psychicbazaar.com.  3600    IN      A       178.79.183.162
[...]

How exactly is your web server supposed to know which certificate to serve for a TLS exchange if you are using the same IP address for both? This won't work:

http://wiki.apache.org/httpd/NameBasedSSLVHosts

As a rule, it is impossible to host more than one SSL virtual host on the same IP address and port. This is because Apache needs to know the name of the host in order to choose the correct certificate to setup the encryption layer. But the name of the host being requested is contained only in the HTTP request headers, which are part of the encrypted content. It is therefore not available until after the encryption is already negotiated.