Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 80F4A18292 for ; Thu, 11 Jun 2015 16:08:49 +0000 (UTC) Received: (qmail 31249 invoked by uid 500); 11 Jun 2015 16:08:49 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 31166 invoked by uid 500); 11 Jun 2015 16:08:49 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 31156 invoked by uid 99); 11 Jun 2015 16:08:48 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Jun 2015 16:08:48 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 8ABACC0613 for ; Thu, 11 Jun 2015 16:08:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.009 X-Spam-Level: X-Spam-Status: No, score=-0.009 tagged_above=-999 required=6.31 tests=[T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 72xchhjOYuHB for ; Thu, 11 Jun 2015 16:08:38 +0000 (UTC) Received: from mail.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id E741627606 for ; Thu, 11 Jun 2015 16:08:37 +0000 (UTC) Received: from [192.168.178.55] (unknown [84.189.80.41]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id B1BDC15A0058 for ; Thu, 11 Jun 2015 18:08:29 +0200 (CEST) From: Stefan Eissing Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (1.0) Subject: Re: SNI Host: header mismatch Message-Id: <0DC2853F-6376-4E56-9F62-49E4E13278F9@greenbytes.de> Date: Thu, 11 Jun 2015 18:08:28 +0200 References: <6A48855E-B573-4946-8BC7-AE914B94BE90@greenbytes.de> <718405ED-C623-44CA-BFE7-BC899CA088FD@greenbytes.de> In-Reply-To: To: "dev@httpd.apache.org" X-Mailer: iPhone Mail (12F70) Yes, it will work with the cert checks, not without. Sorry, if that was conf= using.=20 > Am 11.06.2015 um 17:56 schrieb Yann Ylavic : >=20 > On Thu, Jun 11, 2015 at 4:33 PM, Stefan Eissing > wrote: >> Two things: >>=20 >> 1. the minimal thing to fix the situation is to return 421 instead of 400= . H2 clients will then open a new TLS connection for the request host. I don= 't know if this breaks any HTTP/1 clients, however it should not. >=20 > I think this should be OK, HTTP/1 clients are prepared to received > unknown error codes AFAICT. >=20 >>=20 >> 2. Given that we answer not matching combinations with 421, the admin sho= uld be given the opportunity to allow this via some directive. This makes it= easier for her to do "anti-sharding" for h2 clients. >>=20 >> ap_matches_request_vhost() / ServerAlias is not the right choice, if I un= derstand it correctly, since the non-matching request is really intended for= another vhost and not just a using a fancy name for the real SNI one. >>=20 >> If there were named SSL configurations, httpd could allow connection reus= e for all vhosts with the same SSL config. Alternatively, is there a good wa= y to check that two vhosts use the same certificate (key)? That could work a= s well. >=20 > That's why I (also) proposed to check the SNI against the current > vhost's certificate's subject CN and/or AltNames (for wildcard certs). > AIUI, the client should not reuse connections unless one of those matches.= >=20 > Why wouldn't that work? >=20 > Regards, > Yann.