Is the directive
SSLStrictSNIVHostCheck On
meant to block connections to a virtual host if the connecting client
uses an IP literal as URL ? RFC 6066 states that
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
since a SNI doesn't make sense at all for an IP literal and this
(https://bugzilla.mozilla.org/show_bug.cgi?id=421634) bug report/patch
for FF does exactly what I would expect for such a client request, which
is to not send any SNI at all.
The docs don't mention this corner case (http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstrictsnivhostcheck) and I think the "issue" traces to
httpd-2.4.3/modules/ssl/ssl_engine_kernel.c:166
where there is no check if the SNI is necessary at all, only it if present:
if ((servername = SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name))) {
So if this is not working as intended I suggest adding an IP literal detection at this place and if it is working as intended I would like to know the reasoning behind it.
Cheers, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|