Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 63DA717BD1 for ; Wed, 10 Jun 2015 15:49:07 +0000 (UTC) Received: (qmail 1072 invoked by uid 500); 10 Jun 2015 15:49:07 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 1010 invoked by uid 500); 10 Jun 2015 15:49:06 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 1000 invoked by uid 99); 10 Jun 2015 15:49:06 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jun 2015 15:49:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 782A1C0940 for ; Wed, 10 Jun 2015 15:49:06 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id bCC7pdR3YCit for ; Wed, 10 Jun 2015 15:49:00 +0000 (UTC) Received: from mail-ig0-f173.google.com (mail-ig0-f173.google.com [209.85.213.173]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id 33F7E43E5C for ; Wed, 10 Jun 2015 15:49:00 +0000 (UTC) Received: by igbsb11 with SMTP id sb11so36555916igb.0 for ; Wed, 10 Jun 2015 08:48:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=ha3ERubDQ4pAbAjOlcZqQDIMn2Q9mlRfdH/wc2QTIro=; b=io5tC68UJUSE5/ERs1fcw16nc4uybvQJpJR3OBTIoBcBFqjYUWsxU26YBpWUjezP0i H5+oHbZr3JW+4ZkLix4gnyOrP8CqpjZ4H4XhuiXHzhi0xVL4Y4s/1lPJRlyXPkBjteG0 Khte8AKpvDGi2WypOzAfH9cxxn7qkulIgGTTS5w/Xk8jkjRh08zMZ6Bg2Jbkw5J3aqv7 h4zw2324lrb1FcFFcBW9T3tFZqUpDa9B/RW+aaKrlNu9r4nGtSsWSdud+ZNzRFqGHCok lgQlxDY5OricfD5s6iyfCpQUTstKBTBPsh6i007hF1mTmtk4DNp07ZJG3CyMRBIrLrzG 1QTA== MIME-Version: 1.0 X-Received: by 10.43.162.136 with SMTP id mk8mr5599864icc.28.1433951333096; Wed, 10 Jun 2015 08:48:53 -0700 (PDT) Received: by 10.79.82.196 with HTTP; Wed, 10 Jun 2015 08:48:53 -0700 (PDT) In-Reply-To: References: <6A48855E-B573-4946-8BC7-AE914B94BE90@greenbytes.de> Date: Wed, 10 Jun 2015 17:48:53 +0200 Message-ID: Subject: Re: SNI Host: header mismatch From: Yann Ylavic To: dev@httpd.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Jun 10, 2015 at 5:30 PM, Yann Ylavic wrote: > On Wed, Jun 10, 2015 at 4:41 PM, Stefan Eissing > wrote: >> Today I had the second user which got "400 Bad Request" when using mod_h= 2 with a wildcard certificate. So, I was thinking how to possibly fix the c= ode in mod_ssl. >> >> The mostly harmless approach is the addition of a configuration directiv= e that admins may use to explicitly allow multiple host requests on a SNI c= onnection. Which would mean that both the config of the SNI host and the co= nfig of the request host have "SSLSNIVHostMatch off". >> >> The case where no Host header is provided or no SNI is used I propose to= leave unaffected, e.g. continue to fail. >> >> Any thoughts? > > Maybe matching against the ServerName and ServerAlias(es) instead of > the Host header, so that the admin can still have a control on it... E.g. by using ap_matches_request_vhost(r, SNI, 0).