Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A6A2510ECA for ; Thu, 12 Dec 2013 19:03:34 +0000 (UTC) Received: (qmail 9656 invoked by uid 500); 12 Dec 2013 19:03:34 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 9606 invoked by uid 500); 12 Dec 2013 19:03:33 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 9598 invoked by uid 99); 12 Dec 2013 19:03:33 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Dec 2013 19:03:33 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [68.178.252.107] (HELO p3plsmtpa11-06.prod.phx3.secureserver.net) (68.178.252.107) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Dec 2013 19:03:27 +0000 Received: from hub ([76.252.112.72]) by p3plsmtpa11-06.prod.phx3.secureserver.net with id 0j331n00C1Zmh9Y01j34jn; Thu, 12 Dec 2013 12:03:05 -0700 Date: Thu, 12 Dec 2013 13:00:53 -0600 From: "William A. Rowe Jr." To: dev@httpd.apache.org Cc: peter.sylvester@edelweb.fr Subject: Re: [SPAM?]: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests Message-ID: <20131212130053.3d725a79@hub> In-Reply-To: <52A969D8.5060306@edelweb.fr> References: <20131125155541.66e19919@hub> <52943239.9080607@velox.ch> <20131211171545.2012e83b@hub> <52A969D8.5060306@edelweb.fr> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.22; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org On Thu, 12 Dec 2013 08:46:32 +0100 Peter Sylvester wrote: > > The rest of the SNI hostname processing steps are where the problem > > lies. We still need to perform http headers -> vhost translation > > after the connection is established. If there's any desire to do > > SNI hostname validation, that has to be limited to comparing that > > hostname to the ServerName/ServerAlias entries, not to the HTTP > > Host: which has a different semantic meaning and is the only > > hostname of interest to httpd as an HTTP server. > this part was always a bit strange: the initial idea was: When the > code sees the Host: and when there was no sni, to force a > renegotiation with the right cert/key. That doesn't doesn't as user agents won't proceed with a request because they had not established trust, and the user agent then rightfully ends this attempt with an error (or sufficiently painful 'ignore this error' action on the part of the user). But again, the Host: field is not defined as the dns name of this next-hop server, but the hostname component of the requested URI.