httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: SNI in 2.2.9? (Re: 2.2.9 status)
Date Wed, 04 Jun 2008 14:01:11 GMT
On Tue, Jun 03, 2008 at 04:42:07PM +0200, Kaspar Brand wrote:
> So, is there still hope for SNI being added in 2.2.9...? Let me know if
> there's anything else I can do to increase the chances of getting this
> proposal accepted.

http://svn.apache.org/viewvc?rev=662815&view=rev

Changing the dirconf structure fields in-place seems ugly and may even 
be thread-unsafe (not sure).  I still can't see how this handles half 
the cases it needs to, as I've said several times now - SSLVerifyClient 
is only one part of this.  From a quick look I can't see how a reneg 
would be forced for any of:

1) SSLCipherSuite changed since original vhost
2) SSLCACeritificate* changed since original vhost (where both 
3) SSLOCSP* changed since original vhost

but it certainly should be.  A lot of the mod_ssl code will need to be 
very carefully reviewed since some core assumptions are being broken by 
supporting SNI.  I would go through each of the config directive which 
supports vhost context in turn.  What about SSLCertificateChainFile?  
What about CRLs?  etc etc.

It is also a complete cop-out to claim these issues aren't specific to 
SNI since we explicitly don't support any non-SNI configuration in which 
these paths can be triggered.  And for very good reason: *they don't 
work properly*.

joe


Mime
View raw message