Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 54839 invoked from network); 30 Mar 2009 16:15:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 30 Mar 2009 16:15:23 -0000 Received: (qmail 9714 invoked by uid 500); 30 Mar 2009 16:15:22 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 9638 invoked by uid 500); 30 Mar 2009 16:15:21 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 9628 invoked by uid 99); 30 Mar 2009 16:15:21 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Mar 2009 16:15:21 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [62.179.121.31] (HELO viefep11-int.chello.at) (62.179.121.31) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 30 Mar 2009 16:15:11 +0000 Received: from edge03.upc.biz ([192.168.13.238]) by viefep11-int.chello.at (InterMail vM.7.09.01.00 201-2219-108-20080618) with ESMTP id <20090330161449.PLTO20228.viefep11-int.chello.at@edge03.upc.biz> for ; Mon, 30 Mar 2009 18:14:49 +0200 Received: from [77.56.93.188] ([77.56.93.188]) by edge03.upc.biz with edge id ZUEn1b00q43qgX903UEouj; Mon, 30 Mar 2009 18:14:49 +0200 X-SourceIP: 77.56.93.188 Message-ID: <49D0EFF7.8030902@velox.ch> Date: Mon, 30 Mar 2009 18:14:47 +0200 From: Kaspar Brand User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: SNI in 2.2.x (Re: Time for 2.2.10?) References: <48AA6528.1090301@velox.ch> <49CE81CA.6090708@apache.org> In-Reply-To: <49CE81CA.6090708@apache.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Ruediger Pluem wrote: > Going through the archive I noticed several attachments with the same > basename and and a version string attached. Are these patches > cumulative so that I only need to review the latest one? sni_sslverifyclient-v5.diff includes all improvements to ssl_hook_Access/ssl_callback_SSLVerify/ssl_callback_SSLVerify_CRL which I did in June 2008, yes. Then I stopped updating the trunk version (due to lack of responses) and only worked on further improvements on to the 2.2.x patch (latest version lives at http://sni.velox.ch/httpd-2.2.x-sni.20080928.patch). > As said several times we consider name based virtual hosting for SSL > *without* SNI as not recommended and insecure. This has not changed > with the SNI patches applied to trunk. Other than being the ceterum censeo, what's the rationale here? "Not recommended and insecure" sounds like FUD to me, and apparently no one has spent at least a few hours to verify (or disprove) the analysis I undertook last June. Locking out non-SNI capable clients from all but the first vhost is overkill for many configurations (e.g. when no SSL access restrictions are in place), and will break configurations which used to work with 2.2. People *are* doing things like those shown at http://wiki.cacert.org/wiki/CSRGenerator to address their needs, and this would break with your change suggested for 2.4 ("because we always said..." - yes, I know, that will be your [compelling?] argument). > Not SNI enabled clients receive a 403 when contacting any of > the name based virtual hosts (which enables you to set a nice error > page to explain to the user what happened and which browser to use). Why hardcode HTTP_FORBIDDEN? Leave it to the user to configure it as needed, as I outlined an earlier posting: > * you can use this information in mod_rewrite rules, e.g. for > rewriting requests based on the absence of an SNI extension (such as > 'RewriteCond %{SSL:SSL_TLS_SNI} =""' Kaspar