httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 56508] Requiring SNI - SSLStrictSNIVHostCheck semantics
Date Sat, 12 Jul 2014 06:23:10 GMT

--- Comment #7 from Kaspar Brand <> ---
(In reply to Jeff Trawick from comment #6)
> No more "SSLStrictSNIVHostCheck On",

Yes, since I always considered this to be an unnecessary/misdesigned directive
(see e.g.
The primary purpose of SNI is allowing to present the proper certificate, not
enforcing access control, IMO.

> rules have to be active in every SSL-enabled vhost (since non-SNI
> client will likely still get to the right vhost even though they handshaked
> with the default vhost), rules have to be in proper order relative to
> existing rules for the vhost,

Relatively easy to achieve with "RewriteOptions InheritBefore" (or even
"RewriteOptions InheritdownBefore" with 2.4.8 and later), I would say.

> IMO it is simply wrong to pick a vhost from the Host header if SNI clients
> aren't supposed to be supported

Did you mean *non-*SNI clients? I can't follow you here otherwise.

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message