httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <Thomas.Eck...@Sophos.com>
Subject [users@httpd] SSL, SNI and SSLStrictSNIVHostCheck
Date Fri, 04 Jan 2013 09:33:14 GMT
Is the directive
     SSLStrictSNIVHostCheck On
meant to block connections  to a virtual host if the connecting client 
uses an IP literal as URL ? RFC 6066 states that
     Literal IPv4 and IPv6 addresses are not permitted in "HostName".
since a SNI doesn't make sense at all for an IP literal and this 
(https://bugzilla.mozilla.org/show_bug.cgi?id=421634) bug report/patch 
for FF does exactly what I would expect for such a client request, which 
is to not send any SNI at all.

The docs don't mention this corner case 
(http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstrictsnivhostcheck) 
and I think the "issue" traces to
     httpd-2.4.3/modules/ssl/ssl_engine_kernel.c:166
where there is no check if the SNI is necessary at all, only it if present:
     if ((servername = SSL_get_servername(ssl, 
TLSEXT_NAMETYPE_host_name))) {

So if this is not working as intended I suggest adding an IP literal 
detection at this place and if it is working as intended I would like to 
know the reasoning behind it.

Cheers,
   Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message