Dne Čt 20. února 2014 08:13:13, Eric Covener napsal(a):
> On Thu, Feb 20, 2014 at 7:47 AM, Pavel Matěja <pa...@netsafe.cz> wrote:
> > Dne St 19. února 2014 21:09:10, William A. Rowe Jr. napsal(a):
> >> I believe that Kaspar and Ruediger are still entirely at odds with my
> >> position, but this 'enhancement' should never have been unilaterally
> >> applied as it was to 2.2.26 and must be reverted (even as the feature
> >> is 'fixed' with corrections they have blessed), e.g. the comparison
> >> must be constrained to apply only to SSLStrictSNIVHostCheck enforcing
> >> hosts under 2.2 to not break existing configurations.
> >>
> >> It similarly aught to be constrained to SSLStrictSNIVHostCheck on the
> >> 2.4 branch, but I'm just not going to participate in that debate at
> >> all, which is why I say 'aught to'. Time for a few more committers to
> >> review the relevant specs and chime in with opinions on productive vs.
> >> disruptive rules that are out-of-spec.
> >
> > Last note:
> > when I go to the reverse proxy without hostname I can't get website at
> > all.
> > wget --no-check-certificate https://a.b.c.d will always return HTTP Error
> > 500: AH01084: pass request body failed to..
> > AH00898: Error during SSL Handshake with remote server returned by /
> > AH01097: pass request body failed to..
> >
> > Any idea how to rework configuration without the downgrade to SSLv3?
>
> Please post the full details in a bug report.
It's qute simple.
In pre-SNI days hostname didn't matter.
Now you can't reach backend SSL server thru reverse proxy without correct one
when you
have ProxyPreserveHost On.
Apache will take IP of proxy and will try to pass it to backend server in SNI.
Which has to fail obviously.
I guess apache reverse proxy should not fill numeric ip address into SNI
request at all.
Just what Kaspar Brand mentioned above: Pure host names (FQDN!) only: RFC 6066,
section 3.
Something like
modules/proxy/mod_proxy_http.c:1968
-if ((dconf->preserve_host != 0) && (r->hostname != NULL)) {
+if ((dconf->preserve_host != 0) && (r->hostname != NULL) &&
(is_fqdn(r->hostname))) {
I'm not sure if there is such function or how is called.
--
Pavel Matěja
