Apache/GnuTLS: can't get multiple TLS-enabled virtual hosts to work

A while ago, I set up an SSL certificate authority for our intranet, generated a bunch of certificates and ran a number of sites with them, all on the same physical host with one single Apache2 installation; one root certificate and one certificate for each virtual host. I added the root certificate to the client machines and everything was fine (i.e. all communication was protected).

Now I am trying to switch from mod_ssl to mod_gnutls. Changes to the Apache2 configuration were simple:

• disable the SSL module: a2dismod ssl
• enable the GnuTLS module: a2enmod gnutls

• add a new section to /etc/apache2/ports.conf with the same contents as the SSL section:

  <IfModule mod_gnutls.c>
    NameVirtualHost *:443
    Listen 443
  </IfModule>
  

• change per-site configurations in e.g. /etc/apache2/sites-available/site1.domain-ssl:

  <IfModule mod_gnutls.c> 
    <VirtualHost *:443>
      ServerAdmin  [email protected]
      ServerName   site1.domain
      DocumentRoot /var/www/site1.domain_ssl/public_html/
      ErrorLog     /var/www/site1.domain_ssl/logs/error.log
      CustomLog    /var/www/site1.domain_ssl/logs/access.log combined
      LogLevel     debug
  
      # <Directory ... > settings omitted
  
      # old SSL configuration:
      # SSLEngine on
      # SSLCertificateFile    /etc/ssl/certs/site1.cert.pem
      # SSLCertificateKeyFile /etc/ssl/private/site1.key.pem
  
      # new TLS configuration
      GnuTLSEnable on
      GnuTLSPriorities NORMAL:!DHE-RSA:!DHE-DSS:!AES-256-CBC:%COMPAT
      GnuTLSCertificateFile /etc/ssl/certs/site1.domain.cert
      GnuTLSKeyFile         /etc/ssl/private/site1.domain.key
    </VirtualHost>
  </IfModule>
  

I re-created the cetificate authority root certificate from scratch, created new per-site certificates and re-deployed them. (I used to use .pem file suffix with SSL, but dropped that when switching to GnuTLS).

The problem is now that I can not access any virtual hosts.

When I try to connect to the physical host, everything seems fine:

user@host:~$ gnutls-cli-debug host
Resolving 'host'...
Connecting to '127.0.1.1:443'...
Checking for SSL 3.0 support... yes
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
  ... (etc.) ...

and when I connect using gnutls-cli --x509cafile <my root cert file>, the root certificate is validated successfully.

However, when I try to connect to one of the virtual hosts, this happens:

user@host:~$ gnutls-cli-debug site1
Resolving 'site1'...
Connecting to '192.168.137.135:443'...
Checking for SSL 3.0 support...|<1>| Received record packet of unknown type 60
 no
Checking whether %COMPAT is required...|<1>| Received record packet of unknown type 60
 yes
Checking for TLS 1.0 support...|<1>| Received record packet of unknown type 60
 no
Checking for TLS 1.1 support...|<1>| Received record packet of unknown type 60
 no
  ... (etc.) ...

and I get error message like these in the Apache log:

[Mon May 19 17:55:35 2014] [info] [client 127.0.0.1] GnuTLS: Handshake Failed (-21) 'Could not negotiate a supported cipher suite.'
[Mon May 19 17:55:35 2014] [info] (70014)End of file found: GnuTLS: Error reading data. (-9) 'A TLS packet with unexpected length was received.'
[Mon May 19 17:59:58 2014] [error] [client 192.168.137.135] Invalid method in request \x16\x03

Of course there are plenty of Google results about these errors, but despite spending pretty much the entire weekend searching, nothing conclusive has come up.

This is all taking place under a fresh installation of the latest Debian 7.5 i386 on a VM (which I've set up to find the error, the actual intranet server is a real machine), so Apache does support SNI:

user@host:~$ aptitude show apache2-mpm-worker | grep Version
Version: 2.2.22-13+deb7u1
user@host:~$ aptitude show libapache2-mod-gnutls | grep Version
Version: 0.5.10-1.1

The mod-gnutls page explicitely states that it supports Server Name Indication, but to me, it looks like this is simply not the case.

Can anyone help me ?