https://bz.apache.org/bugzilla/show_bug.cgi?id=54656
--- Comment #4 from Santiago Garcia Mantinan <[email protected]> --- Before SNI support on Apache 2.4 one could have a server serve an external.domain site using a internal.domain certificate, since SNI we have three hostnames, the SNI, the presented certificate and the Host header and an apache server will force the Host header to match the SNI, otherwise we'll get the known error: Hostname internal.domain provided via SNI and hostname external.domain provided via HTTP are different The proposed patch solves the problem of the Apache proxy asking for a certificate for internal.domain and sending a SNI of external.domain (which is the case now if you have ProxyPreserveHost On) but doesn't solve the problem of the Apache backend server giving that error, so this patch should go together with one adding a new directive to relax the SNI check on the server side, otherwise this patch is not coherent with Apache server behaviour. I'd like to know if this relaxing is something that could be accepted so that we could have pre-SNI behabiours back to apache 2.4 or if ProxyPreserveHost is needed then ssl must be disabled on Apache backend servers which means lowering security compared to what we had at 2.2. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
