Thomas, I think the users@ list may be the wrong target for such discussion. FWDing to dev@
----- Original Message ----- > Is the directive > SSLStrictSNIVHostCheck On > meant to block connections to a virtual host if the connecting > client > uses an IP literal as URL ? RFC 6066 states that > Literal IPv4 and IPv6 addresses are not permitted in "HostName". > since a SNI doesn't make sense at all for an IP literal and this > (https://bugzilla.mozilla.org/show_bug.cgi?id=421634) bug > report/patch > for FF does exactly what I would expect for such a client request, > which > is to not send any SNI at all. > > The docs don't mention this corner case > (http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslstrictsnivhostcheck) > and I think the "issue" traces to > httpd-2.4.3/modules/ssl/ssl_engine_kernel.c:166 > where there is no check if the SNI is necessary at all, only it if > present: > if ((servername = SSL_get_servername(ssl, > TLSEXT_NAMETYPE_host_name))) { > > So if this is not working as intended I suggest adding an IP literal > detection at this place and if it is working as intended I would like > to > know the reasoning behind it. > > Cheers, > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE