httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wmr...@gmail.com>
Subject Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Fri, 28 Feb 2014 00:20:46 GMT
On Wed, Feb 26, 2014 at 2:45 PM, Ruediger Pluem <rpluem@apache.org> claimed:

> Even if they use IP/Port based virtual hosting the SNI name and supplied host header
should be consistent.

For all incoming forward proxy requests your statement is complete nonsense.

The Host: header consistently appears to reflect the hostname of the
URI of the proxy
request (as distinguish from httpd internal proxy requests)..

Given that *.example.com is a perfectly valid host cert CN, as is
foo.example.com
while bar.example.com is the altname of the certificate, accessing
bar.example.com
MUST NOT break when upgrading from 2.2.25 to 2.2.27.

I see no evidence that the users are being considered here, only the particular
scenario advocated by a couple of pmc members.  Our absolute policy is to
minimize disruptions for users when they migrate from 2.2.x to 2.2.y, or from
2.4.x to 2.4.y.  This test failsto meet that test for legitimate or
for illegitimate
(as deigned by yourself) configurations.

Mime
View raw message