httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: [users@httpd] ssl certifikate mismatch
Date Mon, 17 May 2010 05:01:12 GMT
> On Sun, May 16, 2010 at 3:14 PM, Eric Covener <> wrote:
>> User has a non-NVH on ( insists SNI is
>> choosing the SSL configuration from a different VH that (
>> comes earlier and b) has a matching servername.

I can't reproduce/confirm this behavior with 2.2.15. Did the user
doublecheck that the and files really have
the proper contents?

>> I think that was sent, but i'm not sure if any SNI
>> hostname was sent. I called it like this: openssl s_client -connect

openssl s_client doesn't send any SNI extension by default (needs to be
specified with -servername, if desired).

The code in mod_ssl which possibly switches to a different certificate
(through OpenSSL's SSL_set_SSL_CTX) is only reached from
ssl_callback_ServerNameIndication(). And this callback is not executed
if there's no SNI extension in the ClientHello (at APLOG_DEBUG, mod_ssl
will log the outcome of ap_vhost_iterate_given_conn, but my prediction
is that the user won't see any such messages if he's using s_client w/o
the servername switch).


View raw message