Is it possible for a web server to select an SSL certificate to use based on the host-header of the incoming connection, or is that information that is only available after the SSL connection is established?
That is, can my webserver listed on port 443 and use the foo.com certificate if https://foo.com is requested, and the bar.com certificate if https://bar.com is requested or am I trying to do something impossible because the server has to establish an SSL connection before it knows what the client wants?
Historically, your first statement is accurate. Now, there are multiple options:
This has been answered numerous times on ServerFault by myself and others. I'd suggest searching for further details unless you have a specific question.
To extend Warner's answer: CAcert's page Vhost Task Force compares several methods for using multiple domains on a single server. I personally use Server Name Indication.
Short answer: no
HTTP is encapsulated inside SSL, so any information about the request is inaccessible until the connection has been established. Hence until a certificate was given to the client. No way to use headers nor any other encrypted info, as they are still not available.
EDIT: this is true if you want nowadays to be cross browser and fully portable. As said by others there are some new emerging methods making it possible in the near future.
Correct. The SSL connection is established before any part of the HTTP request (host header included) is sent.