httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Wed, 27 Nov 2013 05:57:24 GMT
On 26.11.2013 10:38, Yann Ylavic wrote:
> With the per worker (single) connections-reslist model, If the connection
> were to be closed in determine_connection() when the Host mismatches, that
> would be be a painful performance penalty when SNI is enabled (no option to
> disable currently)...

With SNI, the assumption "same IP and port, same TLS peer" no longer
holds true. Two backend URLs, though served from the same IP:port, might
have very different characteristics (one using an RSA cert, the other
ECDSA e.g., and distinct supported cipher suites). I.e., you're really
talking to two completely different peers in this case.

Kaspar

Mime
View raw message