httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] SSL+SNI+client-auth fakeBasicAuth "lost" after some time
Date Sun, 19 Feb 2012 14:04:13 GMT
> 2nd access:
> I get an error, that no SNI hostname would have been provided, but still,
> the ouput appears in the log file of the non-default name based vhost,
> strange isn't it?
>

No, Apache will still do normal vhost resolution. It's only mod_ssl
that will jump in the way if that occurred without SNI on an SSL
vhost.  The error is logged to the name-based vhost being that you
landed on.

> And I have:
> SSLStrictSNIVHostCheck on
> so I'd expect to fail any access if no SNI hostname would have been
> provided.

I'm not a big mod_ssl user, but isn't that exactly what's happening
with your 403?

You should be able to confirm in a packet capture or by logging
%{SSL_TLS_SNI}e.    You'd also want to confirm whether your SSL
Session ID is being reused, but after 10 minutes this should not be
the case.  This would be obvious in the handshake (unencrypted) but I
don't know what you'd log or look for in traces with mod_ssl.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message