https://bz.apache.org/bugzilla/show_bug.cgi?id=69743
--- Comment #34 from jrayh...@freedesktop.org ---
Optimally, there should be a default "auto" setting for SSLStrictSNIVHostCheck
that only does strict checking if VirtualHost-specific mod_ssl directives apart
from SSLCertificate{Key,Chain,}File are present (especially SSLVerifyClient
since it keeps causing high-impact CVEs).
Handholding admins by defaulting SSLStrictSNIVHostCheck to "On" is also
reasonable, provided there's a release that does a deprecation warning for the
implicit default.
Completely breaking the currently documented behavior of
"SSLStrictSNIVHostCheck Off" is much less good. Security patches that break
backwards compatibility and cause downtime for no good reason undermines trust
in the project generally and the security release channel specifically.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
