Is the directive
SSLStrictSNIVHostCheck On
meant to block connections to a virtual host if the connecting client
uses an IP literal as URL ? RFC 6066 states that
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
since a SNI doesn't make sense at all for an IP literal and this
(https://bugzilla.mozilla.org/show_bug.cgi?id=421634) bug report/patch
for FF does exactly what I would expect for such a client request, which
is to not send any SNI at all.
The docs don't mention this corner case
(http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstrictsnivhostcheck)
and I think the "issue" traces to
httpd-2.4.3/modules/ssl/ssl_engine_kernel.c:166
where there is no check if the SNI is necessary at all, only it if present:
if ((servername = SSL_get_servername(ssl,
TLSEXT_NAMETYPE_host_name))) {
So if this is not working as intended I suggest adding an IP literal
detection at this place and if it is working as intended I would like to
know the reasoning behind it.
Cheers,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
