mod_ssl won't fill in the SNI if it's an IP address, the check is not in mod_proxy_http but in ssl_io_filter_connect() : if (hostname_note && sc->proxy->protocol != SSL_PROTOCOL_SSLV2 && sc->proxy->protocol != SSL_PROTOCOL_SSLV3 && apr_ipsubnet_create(&ip, hostname_note, NULL, c->pool) != APR_SUCCESS) { ...set SNI to SSL... }
apr_ipsubnet_create() returns SUCCESS in the IP address case. The problem is probably elsewhere. On Thu, Feb 20, 2014 at 2:39 PM, Pavel Matěja <pa...@netsafe.cz> wrote: > Dne Čt 20. února 2014 08:13:13, Eric Covener napsal(a): > >> On Thu, Feb 20, 2014 at 7:47 AM, Pavel Matěja <pa...@netsafe.cz> wrote: > >> > Dne St 19. února 2014 21:09:10, William A. Rowe Jr. napsal(a): > >> >> I believe that Kaspar and Ruediger are still entirely at odds with my > >> >> position, but this 'enhancement' should never have been unilaterally > >> >> applied as it was to 2.2.26 and must be reverted (even as the feature > >> >> is 'fixed' with corrections they have blessed), e.g. the comparison > >> >> must be constrained to apply only to SSLStrictSNIVHostCheck enforcing > >> >> hosts under 2.2 to not break existing configurations. > >> >> > >> >> It similarly aught to be constrained to SSLStrictSNIVHostCheck on the > >> >> 2.4 branch, but I'm just not going to participate in that debate at > >> >> all, which is why I say 'aught to'. Time for a few more committers to > >> >> review the relevant specs and chime in with opinions on productive vs. > >> >> disruptive rules that are out-of-spec. > >> > > >> > Last note: > >> > when I go to the reverse proxy without hostname I can't get website at > >> > all. > >> > wget --no-check-certificate https://a.b.c.d will always return HTTP >> > Error > >> > 500: AH01084: pass request body failed to.. > >> > AH00898: Error during SSL Handshake with remote server returned by / > >> > AH01097: pass request body failed to.. > >> > > >> > Any idea how to rework configuration without the downgrade to SSLv3? > >> > >> Please post the full details in a bug report. > > > > It's qute simple. > > In pre-SNI days hostname didn't matter. > > Now you can't reach backend SSL server thru reverse proxy without correct > one when you have ProxyPreserveHost On. > > Apache will take IP of proxy and will try to pass it to backend server in > SNI. > > Which has to fail obviously. > > I guess apache reverse proxy should not fill numeric ip address into SNI > request at all. > > Just what Kaspar Brand mentioned above: Pure host names (FQDN!) only: RFC > 6066, section 3. > > > > Something like > > modules/proxy/mod_proxy_http.c:1968 > > -if ((dconf->preserve_host != 0) && (r->hostname != NULL)) { > > +if ((dconf->preserve_host != 0) && (r->hostname != NULL) && > (is_fqdn(r->hostname))) { > > > > I'm not sure if there is such function or how is called. > > -- > > Pavel Matěja > >