ISTR that the RFC about SNI forbids port numbers (I find it unfortunate as a matter of fact, given that host names may contain ports...). Just to say that normalization may come with ports handling/relaxing in several places, which I support!
On Wed, Apr 11, 2018 at 11:52 AM, Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com> wrote: > I guess this makes sense to avoid these kind of issues. > > Regards > > Rüdiger > >> -----Ursprüngliche Nachricht----- >> Von: Stefan Eissing [mailto:stefan.eiss...@greenbytes.de] >> Gesendet: Mittwoch, 11. April 2018 11:49 >> An: dev@httpd.apache.org >> Betreff: SNI normalization? >> >> Feedback desired: >> >> Checking my server logs, I regularly see clients using SNI with port >> identifier, >> as in: test.example.org:443 >> >> I am not sure what client that is, but we do not identify the vhost that >> is >> (probably) intended. Then the request comes in, and there we have magic >> that >> finds the correct r->server. Then we mod_ssl sees that sslconn->server >> != r->server >> and does some compatibility checks. If the base server and vhost have >> incompatible >> settings (e.g. other certs/ciphers etc.), the request fails. >> >> This seems to be wrong. Do we need the same normalization that we have >> in Host: header >> parsing in SNI? >> >> -Stefan
