On Tue, Jun 03, 2008 at 04:42:07PM +0200, Kaspar Brand wrote: > So, is there still hope for SNI being added in 2.2.9...? Let me know if > there's anything else I can do to increase the chances of getting this > proposal accepted.
http://svn.apache.org/viewvc?rev=662815&view=rev Changing the dirconf structure fields in-place seems ugly and may even be thread-unsafe (not sure). I still can't see how this handles half the cases it needs to, as I've said several times now - SSLVerifyClient is only one part of this. From a quick look I can't see how a reneg would be forced for any of: 1) SSLCipherSuite changed since original vhost 2) SSLCACeritificate* changed since original vhost (where both 3) SSLOCSP* changed since original vhost but it certainly should be. A lot of the mod_ssl code will need to be very carefully reviewed since some core assumptions are being broken by supporting SNI. I would go through each of the config directive which supports vhost context in turn. What about SSLCertificateChainFile? What about CRLs? etc etc. It is also a complete cop-out to claim these issues aren't specific to SNI since we explicitly don't support any non-SNI configuration in which these paths can be triggered. And for very good reason: *they don't work properly*. joe
