httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 56508] Requiring SNI - SSLStrictSNIVHostCheck semantics
Date Sat, 12 Jul 2014 06:23:10 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=56508

--- Comment #7 from Kaspar Brand <asfbugz@velox.ch> ---
(In reply to Jeff Trawick from comment #6)
> No more "SSLStrictSNIVHostCheck On",

Yes, since I always considered this to be an unnecessary/misdesigned directive
(see e.g.
https://mail-archives.apache.org/mod_mbox/httpd-dev/200903.mbox/%3C49D0EFF7.8030902@velox.ch%3E).
The primary purpose of SNI is allowing to present the proper certificate, not
enforcing access control, IMO.

> rules have to be active in every SSL-enabled vhost (since non-SNI
> client will likely still get to the right vhost even though they handshaked
> with the default vhost), rules have to be in proper order relative to
> existing rules for the vhost,

Relatively easy to achieve with "RewriteOptions InheritBefore" (or even
"RewriteOptions InheritdownBefore" with 2.4.8 and later), I would say.

> IMO it is simply wrong to pick a vhost from the Host header if SNI clients
> aren't supposed to be supported

Did you mean *non-*SNI clients? I can't follow you here otherwise.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message