Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by DanPoirier: http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI The comment on the change is: Add SSLStrictSNIVHostCheck ------------------------------------------------------------------------------ == Changes in configuration to use SNI == - There aren't any new directives related to SNI. + There is one new directive related to using SNI with name-based + virtual hosts, '''SSLStrict``SNIV``Host``Check''', which controls whether + to allow non SNI clients to access a name-based virtual host. + (Link to Apache doc for that directive) The first (default) vhost for SSL name-based virtual hosts '''must''' include TLSv1 as a permitted protocol, @@ -116, +119 @@ === Client doesn't support SNI. === If Apache has SNI support, and a request without the SNI hostname - is received for a name-based virtual host over SSL, it will be + is received for a name-based virtual host over SSL, and + SSLStrict``SNIVHost``Check is '''on''', it will be rejected (403) and this message logged: {{{ [error] No hostname was provided via SNI for a name based virtual host }}} + + If SSLStrict``SNIVHost``Check is '''off''', then the request will be handled + as if the server did not have SNI support; see above. == Examples == @@ -131, +138 @@ # Listen for virtual host requests on all IP addresses NameVirtualHost *:443 + + # Go ahead and accept connections for these vhosts + # from non-SNI clients + SSLStrictSNIVHostCheck off <VirtualHost *:443> # Because this virtual host is defined first, it will
