https://issues.apache.org/bugzilla/show_bug.cgi?id=54656
William A. Rowe Jr. <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW --- Comment #3 from William A. Rowe Jr. <[email protected]> --- Earlier guidance on dev@httpd was misguided. A similar problem is present for all forward-proxied requests. The SNI defined hostname can only be used to help route the correct certificate. The SNI definition of a hostname is independent of the definition of the HTTP Host: field and any assumptions that they would be identical is misguided. The SNI hostname may not be an IP-address, while the Host: header may be. The SNI hostname is the next-hop hostname (without a port), while the Host: header is the hostname (including optional port) component of the target URI. In the forward proxy case, these always differ. The SNI logic further fails to test alt-subject names, wildcard cn's and a host of other design errors. I expect your report has equal validity in light of these other design flaws and I'm evaluating this within the context of the current mis-implementation. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
