For SNI all TLS servers need to run with the same config. The config parser has an extra step for this. The problem is it also compares the TLS config params with non-TLS servers when a server block has both listen * port 80 and listen * tls port 443.
The following diff fixes that and also removes the unused last argument of server_tls_cmp(). -- :wq Claudio Index: httpd.h =================================================================== RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v retrieving revision 1.154 diff -u -p -r1.154 httpd.h --- httpd.h 27 Jan 2021 07:21:52 -0000 1.154 +++ httpd.h 13 Feb 2021 08:32:34 -0000 @@ -622,7 +622,7 @@ int cmdline_symset(char *); /* server.c */ void server(struct privsep *, struct privsep_proc *); -int server_tls_cmp(struct server *, struct server *, int); +int server_tls_cmp(struct server *, struct server *); int server_tls_load_ca(struct server *); int server_tls_load_crl(struct server *); int server_tls_load_keypair(struct server *); Index: parse.y =================================================================== RCS file: /cvs/src/usr.sbin/httpd/parse.y,v retrieving revision 1.124 diff -u -p -r1.124 parse.y --- parse.y 22 Jan 2021 13:07:17 -0000 1.124 +++ parse.y 13 Feb 2021 09:02:18 -0000 @@ -333,7 +333,8 @@ server : SERVER optmatch STRING { free(srv); YYERROR; } - if (server_tls_cmp(s, srv, 0) != 0) { + if (srv->srv_conf.flags & SRVFLAG_TLS && + server_tls_cmp(s, srv) != 0) { yyerror("server \"%s\": tls " "configuration mismatch on same " "address/port", Index: server.c =================================================================== RCS file: /cvs/src/usr.sbin/httpd/server.c,v retrieving revision 1.124 diff -u -p -r1.124 server.c --- server.c 2 Jan 2021 18:35:07 -0000 1.124 +++ server.c 15 Feb 2021 11:38:08 -0000 @@ -127,7 +127,7 @@ server_privinit(struct server *srv) } int -server_tls_cmp(struct server *s1, struct server *s2, int match_keypair) +server_tls_cmp(struct server *s1, struct server *s2) { struct server_config *sc1, *sc2; @@ -146,13 +146,6 @@ server_tls_cmp(struct server *s1, struct return (-1); if (strcmp(sc1->tls_ecdhe_curves, sc2->tls_ecdhe_curves) != 0) return (-1); - - if (match_keypair) { - if (strcmp(sc1->tls_cert_file, sc2->tls_cert_file) != 0) - return (-1); - if (strcmp(sc1->tls_key_file, sc2->tls_key_file) != 0) - return (-1); - } return (0); }