httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] SSL, SNI and SSLStrictSNIVHostCheck
Date Sat, 05 Jan 2013 09:32:27 GMT

Thomas,

I think the users@ list may be the wrong target for such discussion.
FWDing to dev@ 

----- Original Message -----
> Is the directive
>      SSLStrictSNIVHostCheck On
> meant to block connections  to a virtual host if the connecting
> client
> uses an IP literal as URL ? RFC 6066 states that
>      Literal IPv4 and IPv6 addresses are not permitted in "HostName".
> since a SNI doesn't make sense at all for an IP literal and this
> (https://bugzilla.mozilla.org/show_bug.cgi?id=421634) bug
> report/patch
> for FF does exactly what I would expect for such a client request,
> which
> is to not send any SNI at all.
> 
> The docs don't mention this corner case
> (http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstrictsnivhostcheck)
> and I think the "issue" traces to
>      httpd-2.4.3/modules/ssl/ssl_engine_kernel.c:166
> where there is no check if the SNI is necessary at all, only it if
> present:
>      if ((servername = SSL_get_servername(ssl,
> TLSEXT_NAMETYPE_host_name))) {
> 
> So if this is not working as intended I suggest adding an IP literal
> detection at this place and if it is working as intended I would like
> to
> know the reasoning behind it.
> 
> Cheers,
>    Thomas
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE


Mime
View raw message