Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 483EE17ACE for ; Wed, 10 Jun 2015 15:30:34 +0000 (UTC) Received: (qmail 34223 invoked by uid 500); 10 Jun 2015 15:30:33 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 34147 invoked by uid 500); 10 Jun 2015 15:30:33 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 34137 invoked by uid 99); 10 Jun 2015 15:30:33 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Jun 2015 15:30:33 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 451371A49C8 for ; Wed, 10 Jun 2015 15:30:33 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.101 X-Spam-Level: X-Spam-Status: No, score=-0.101 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id R8gir2JvQ-uK for ; Wed, 10 Jun 2015 15:30:27 +0000 (UTC) Received: from mail-ig0-f172.google.com (mail-ig0-f172.google.com [209.85.213.172]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id 0181B43CD7 for ; Wed, 10 Jun 2015 15:30:27 +0000 (UTC) Received: by igbhj9 with SMTP id hj9so38232314igb.1 for ; Wed, 10 Jun 2015 08:30:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=jUcU9j3lnMxla38vSB6fSJxOJld05D6+nOnC/4ZHfuM=; b=MOwEiTpbTX7JH4XJ/tyyVKQGiHgx0KVx3J8j2QYlS61b0xCtGSnqF5GH7Cc+Evh72L 2DvnCoKoEYGXs7rPKWoGz9yP+F0J8UPP9PuKdR9Eqw9nHF3Jz0aLim46lujtP39s3nSE 4zBj+pLBeJKIxRSZrGWo6vN4dqiObFg8B8bNllNV9moPwqq3gPoZVPLRvYsL7FD+XDhE zwS9GN1QeDVbLbIKe5jx06ZjAtXWitCcFaI+IWYwgeTpjPAHMa2F6xnUVNowrQpqkRuX wsFekcfZr+pTkE8T4wW3OD2Vcbsji9lAvUPCxTXjiegANMPWqR41ennWNWouz0uW3xvQ m7NQ== MIME-Version: 1.0 X-Received: by 10.43.162.136 with SMTP id mk8mr5505625icc.28.1433950226641; Wed, 10 Jun 2015 08:30:26 -0700 (PDT) Received: by 10.79.82.196 with HTTP; Wed, 10 Jun 2015 08:30:26 -0700 (PDT) In-Reply-To: <6A48855E-B573-4946-8BC7-AE914B94BE90@greenbytes.de> References: <6A48855E-B573-4946-8BC7-AE914B94BE90@greenbytes.de> Date: Wed, 10 Jun 2015 17:30:26 +0200 Message-ID: Subject: Re: SNI Host: header mismatch From: Yann Ylavic To: dev@httpd.apache.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, Jun 10, 2015 at 4:41 PM, Stefan Eissing wrote: > Today I had the second user which got "400 Bad Request" when using mod_h2= with a wildcard certificate. So, I was thinking how to possibly fix the co= de in mod_ssl. > > The mostly harmless approach is the addition of a configuration directive= that admins may use to explicitly allow multiple host requests on a SNI co= nnection. Which would mean that both the config of the SNI host and the con= fig of the request host have "SSLSNIVHostMatch off". > > The case where no Host header is provided or no SNI is used I propose to = leave unaffected, e.g. continue to fail. > > Any thoughts? Maybe matching against the ServerName and ServerAlias(es) instead of the Host header, so that the admin can still have a control on it...