On Thu, Feb 20, 2014 at 7:18 PM, Yann Ylavic <[email protected]> wrote: > On Thu, Feb 20, 2014 at 6:28 PM, Pavel Matěja <[email protected]> wrote: >> Currently there are two possible scenarios with SSLCheckProxyPeerName On and >> numeric Host/URI: >> 1) you will try to open new connection which will fail the CN check and >> client gets 502 Bad Gateway >> 2) you will try to reuse already opened connection which will get you 400 >> Bad Request because SNI hostname won't match the numeric one. >> > > For 2) the issue is not related to IP addresses, reusing a SNI-ed > connection without checking the current hostname is a bug IMHO.
I proposed a fix (trunk) in PR 55782: https://issues.apache.org/bugzilla/attachment.cgi?id=31342&action=diff
