Open Radar

 
Use standard HTTP server virtual hosting to host more than one website on the same IP address. Set up TLS and serve both sites with the same wildcard certificate. In whatever way your HTTP server supports, bind the TLS server name to the HTTP virtual host name.

In the example in the quicktime, I have set up:
    - one.wtest.jpeach.org
    - two.wtest.jpeach.org
    - three.wtest.jpeach.org

All of these are served with the wildcard certificate for *.wtest.jpeach.org. At the TLS layer, the server name "one.wtest.jpeach.org" only has access to the "one.wtest.jpeach.org" virtual host, not to any of the other three virtual hosts.

If you navigate to "https://one.wtest.jpeach.org" in Safari, Safari correctly loads the page. If you then navigate to "https://two.wtest.jpeach.org", Safari will incorrectly re-use the TLS connection it established for "one.wtest.jpeach.org" and request "https://two.wtest.jpeach.org". Since that virtual host is not configured on the TLS session, the server responds with a 421 Misdirected Request status. Safari does not handle this, and displays a blank page.

As per HTTP/2 RFC 9.1.2 (https://tools.ietf.org/html/rfc7540#section-9.1.2), the UA MAY retry the 421 status response. Chrome and Firefox browsers both correctly retry in this situation.

This is an information disclosure security bug, since the browser sends the request to the wrong server name. This issue (misdirecting HTTPS requests to the wrong hostname) has been published as https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11767.

This is the same as the issue reported via WebKit https://bugs.webkit.org/show_bug.cgi?id=192926, which is associated with rdar://problem/34187588.