httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Sylvester <>
Subject Re: [SPAM?]: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Tue, 26 Nov 2013 17:47:39 GMT

On 11/26/2013 06:18 PM, Kaspar Brand wrote:
> On 26.11.2013 09:29, Yann Ylavic wrote:
>> Another point is that SNI can not be an IP address according to the RFC
>> 6066 :
>> 3.  Server Name Indication
>>     [...]
>>     Literal IPv4 and IPv6 addresses are not permitted in "HostName".
>> and this is not specifically checked by mod_proxy before filling SNI.
>> Shouldn't the SNI be ommited when the Host is missing/empty or an IP
>> address too?
> Yes, ssl_engine_io.c:ssl_io_filter_handshake() takes care of that.
> (I argued for adding this to OpenSSL back in 2009 [1], but one reaction
> was "is not exactly a nice thing" and "Looks ugly" [2].)

Since I am the culprit about that hasty response :-)

The "design" for sni is: The protocol is between the applications.

The best thing that the client part in openssl would check is whether
the servername is syntactically a fqdn, and the server could validate
this. well, then someone will ask about validation of I18N names

OpenSSL does not check such things AFAIK. It is not an application
level firewall. For example, there is no code to check whether a
hostname matches a certificate, etc.


> Kaspar
> [1]
> [2]

View raw message