On Sat, Feb 10, 2018 at 12:02:07AM +0100, Landry Breuil wrote: > On Fri, Feb 09, 2018 at 09:40:33PM +0100, Landry Breuil wrote: > > On Fri, Feb 09, 2018 at 07:54:22PM +0100, Landry Breuil wrote: > > > Hi, > > I think i found it with some printf-debugging... > > If the default vhost has no tls config, and any of the other vhosts has some > non-default tls config (for protocols, ticket, dhe, ciphers..), the > server_match() function will return the default vhost for 's', and then > parse.y > inconditionally compares the tls config for s and the current server - as the > default vhost has no tls config, of course they wont match. > > My idea would be to compare the tls configs only if the default vhost has a > tls > config.. but i'm not sure that's the way to go, since i'm not sure i > understand > the rationale about comparing tls configs. Any httpd/ssl experts ? joel, i > think it is this way since r1.79... > > With this diff, i can validate a config that would previously error out. I'm > not > sure this is the way to go of course.
Haven't been able to figure out the correct solution yet. But, swapping the two listen directives for ftp.fr.openbsd.org makes configuration valid. Doing this will cause the HTTP host to be treated as a host alias internally, as opposed of treating the HTTPS host as an alias.
