On Sun, 2012-02-19 at 09:04 -0500, Eric Covener wrote: > > 2nd access: > > I get an error, that no SNI hostname would have been provided, but still, > > the ouput appears in the log file of the non-default name based vhost, > > strange isn't it? > No, Apache will still do normal vhost resolution. But how does it know which to choose? Or can it do so, because the initial SSL handshake is already done and it can now use the HTTP Host header?
> It's only mod_ssl
> that will jump in the way if that occurred without SNI on an SSL
> vhost. The error is logged to the name-based vhost being that you
> landed on.
> > And I have:
> > SSLStrictSNIVHostCheck on
> > so I'd expect to fail any access if no SNI hostname would have been
> > provided.
>
> I'm not a big mod_ssl user, but isn't that exactly what's happening
> with your 403?
Ah you mean this gives "just" a 403? I'd have (not sure why) expect that
this makes it already failing at SSL handshake level...
> You should be able to confirm in a packet capture or by logging
> %{SSL_TLS_SNI}e.
I'll try to do that logging with SSL_TLS_SNI...
> You'd also want to confirm whether your SSL
> Session ID is being reused, but after 10 minutes this should not be
> the case. This would be obvious in the handshake (unencrypted) but I
> don't know what you'd log or look for in traces with mod_ssl.
How can I do this? I mean packet capturing and getting them decrypted?
Thanks,
Chris.
smime.p7s
Description: S/MIME cryptographic signature
