On Tue, Nov 26, 2013 at 6:18 PM, Kaspar Brand <httpd-dev.2...@velox.ch>wrote:
> On 26.11.2013 09:29, Yann Ylavic wrote: > > Another point is that SNI can not be an IP address according to the RFC > > 6066 : > > > > 3. Server Name Indication > > [...] > > Literal IPv4 and IPv6 addresses are not permitted in "HostName". > > > > and this is not specifically checked by mod_proxy before filling SNI. > > > > Shouldn't the SNI be ommited when the Host is missing/empty or an IP > > address too? > > Yes, ssl_engine_io.c:ssl_io_filter_handshake() takes care of that. > (I argued for adding this to OpenSSL back in 2009 [1], but one reaction > was "is not exactly a nice thing" and "Looks ugly" [2].) > I see. Do you know if the port can be part of the SNI (eg. "www.domain.net:8080") so that it can be checked against the Host (which may contain that port)? I can't find any reference about this. > Kaspar > > [1] > > http://mail-archives.apache.org/mod_mbox/httpd-dev/200910.mbox/%3C4AE47BB6.3030009%40velox.ch%3E > > [2] > > http://mail-archives.apache.org/mod_mbox/httpd-dev/200910.mbox/%3c4ae4bfe0.6010...@edelweb.fr%3E >