On 26.11.2013 09:29, Yann Ylavic wrote: > Another point is that SNI can not be an IP address according to the RFC > 6066 : > > 3. Server Name Indication > [...] > Literal IPv4 and IPv6 addresses are not permitted in "HostName". > > and this is not specifically checked by mod_proxy before filling SNI. > > Shouldn't the SNI be ommited when the Host is missing/empty or an IP > address too?
Yes, ssl_engine_io.c:ssl_io_filter_handshake() takes care of that. (I argued for adding this to OpenSSL back in 2009 [1], but one reaction was "is not exactly a nice thing" and "Looks ugly" [2].) Kaspar [1] http://mail-archives.apache.org/mod_mbox/httpd-dev/200910.mbox/%3C4AE47BB6.3030009%40velox.ch%3E [2] http://mail-archives.apache.org/mod_mbox/httpd-dev/200910.mbox/%3c4ae4bfe0.6010...@edelweb.fr%3E