On 21.12.2013 14:21, Ruediger Pluem wrote:
>> I guess a more general fix for this would be:
>
> No further comments / feedback? If not then I would commit the patch.
The change looks fine to me (for easier comparison/review,
a whitespace-change-ignoring version is attached).
What would probably make sense is to amend the following comment
on this occasion:
/*
* The SNI extension supplied a hostname. So don't accept requests
* with either no hostname or a different hostname.
*/
It doesn't say anything about the rationale right now, and as
recent discussions have shown, it would be helpful to explain
why this is done.
Kaspar
Index: ssl_engine_kernel.c
===================================================================
--- ssl_engine_kernel.c (revision 1551618)
+++ ssl_engine_kernel.c (working copy)
@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r)
return DECLINED;
}
#ifdef HAVE_TLSEXT
+ if (r->proxyreq != PROXYREQ_PROXY) {
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
char *host, *scope_id;
apr_port_t port;
@@ -206,6 +207,7 @@ int ssl_hook_ReadReq(request_rec *r)
" virtual host");
return HTTP_FORBIDDEN;
}
+ }
#endif
SSL_set_app_data2(ssl, r);
