httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: svn commit: r1585090 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c
Date Wed, 16 Apr 2014 13:00:05 GMT
On Wed, Apr 16, 2014 at 2:41 PM, Plüm, Rüdiger, Vodafone Group
<ruediger.pluem@vodafone.com> wrote:
>
>> -----Original Message-----
>> From: Yann Ylavic [mailto:ylavic.dev@gmail.com]
>> This base_server directive would help prevent vhost misuse at the
>> source, whatever the vhosts' configs are, and however we relax the
>> Host vs SNI check.
>
> I don't think so. The SNI provided hostname and the HTTP host header still need to match.

Which can't be if no vhost is defined for that SNI, the option would
not break that (it's more a hardening feature).
I'm not arguing we should relax the check (now), but when/if
everything can be done/renegociated at hook_Access time, hook_ReadReq
will have to let it go, still the check at SSL (alert) level is
relevant IMHO.

>
> Regards
>
> Rüdiger
>

Mime
View raw message