On 26.11.2013 09:29, Yann Ylavic wrote:
> Another point is that SNI can not be an IP address according to the RFC
> 6066 :
> 
> 3.  Server Name Indication
>    [...]
>    Literal IPv4 and IPv6 addresses are not permitted in "HostName".
> 
> and this is not specifically checked by mod_proxy before filling SNI.
> 
> Shouldn't the SNI be ommited when the Host is missing/empty or an IP
> address too?

Yes, ssl_engine_io.c:ssl_io_filter_handshake() takes care of that.
(I argued for adding this to OpenSSL back in 2009 [1], but one reaction
was "is not exactly a nice thing" and "Looks ugly" [2].)

Kaspar

[1]
http://mail-archives.apache.org/mod_mbox/httpd-dev/200910.mbox/%3C4AE47BB6.3030009%40velox.ch%3E

[2]
http://mail-archives.apache.org/mod_mbox/httpd-dev/200910.mbox/%3c4ae4bfe0.6010...@edelweb.fr%3E

Reply via email to