> On Sun, May 16, 2010 at 3:14 PM, Eric Covener <[email protected]> wrote: >> User has a non-NVH on 10.137.1.104:9902 (CN=aaa.de)and insists SNI is >> choosing the SSL configuration from a different VH that (CN=aaa.at) >> comes earlier and b) has a matching servername.
I can't reproduce/confirm this behavior with 2.2.15. Did the user doublecheck that the www.aaa.at.crt and www.aaa.de.crt files really have the proper contents? >> I think that 10.137.1.104 was sent, but i'm not sure if any SNI >> hostname was sent. I called it like this: openssl s_client -connect >> 10.137.1.104:9902 openssl s_client doesn't send any SNI extension by default (needs to be specified with -servername, if desired). The code in mod_ssl which possibly switches to a different certificate (through OpenSSL's SSL_set_SSL_CTX) is only reached from ssl_callback_ServerNameIndication(). And this callback is not executed if there's no SNI extension in the ClientHello (at APLOG_DEBUG, mod_ssl will log the outcome of ap_vhost_iterate_given_conn, but my prediction is that the user won't see any such messages if he's using s_client w/o the servername switch). Kaspar
