On 05/02/2009 12:21 AM, William A. Rowe, Jr. wrote: > Ruediger Pluem wrote: >> On 05/01/2009 07:11 AM, Kaspar Brand wrote: >>> Ruediger Pluem wrote: >>>> I hope to get the SNI patches summarized in a backportable >>>> way by then to have them included in 2.2.12. >>> Didn't want to rush things, but since there were no objections to the >>> recent trunk commits so far - here's an updated backport for 2.2 >>> (including your improvements from March/April, see revision list at the >>> top of the file): >>> >>> http://sni.velox.ch/httpd-2.2.x-sni.20090426.diff >> Thanks for this. Especially the list of revision numbers will be >> very helpful for the further process. > > I have only one small concern about adopting this. Consider the diversity > of installations which users install httpd onto. > > --- httpd-2.2.x/modules/ssl/mod_ssl.c (revision 768694) > +++ httpd-2.2.x/modules/ssl/mod_ssl.c (working copy) > @@ -145,6 +145,10 @@ static const command_rec ssl_config_cmds[] = { > "Use the server's cipher ordering preference") > SSL_CMD_ALL(UserName, TAKE1, > "Set user name to SSL variable value") > +#ifndef OPENSSL_NO_TLSEXT > + SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, > + "Strict SNI virtual host checking") > +#endif > > This provides no clue why the directive fails. I'm not fond of conditional > compilation of directives. > > If we can ensure the StrictSNIVHostCheck always exists, but exits when it > is not supported with; > > #ifndef OPENSSL_NO_TLSEXT > return "StrictSNIVHostCheck failed; OpenSSL is not built with support " > "for TLS extensions and SNI indication. Refer to the " > "documentation, and build a compatible version of openssl"; > #else > ... usual stuff > #endif > > Does this make better sense to avoid user complaints?
Apart for the fact that you need to swap both blocks above, yes this makes sense :-). I try to adjust it if no one beats me to it. Regards RĂ¼diger
