Hi:
On 11/26/2013 06:18 PM, Kaspar Brand wrote:
On 26.11.2013 09:29, Yann Ylavic wrote:
Another point is that SNI can not be an IP address according to the RFC
6066 :
3. Server Name Indication
[...]
Literal IPv4 and IPv6 addresses are not permitted in "HostName".
and this is not specifically checked by mod_proxy before filling SNI.
Shouldn't the SNI be ommited when the Host is missing/empty or an IP
address too?
Yes, ssl_engine_io.c:ssl_io_filter_handshake() takes care of that.
(I argued for adding this to OpenSSL back in 2009 [1], but one reaction
was "is not exactly a nice thing" and "Looks ugly" [2].)
Hi,
Since I am the culprit about that hasty response :-)
The "design" for sni is: The protocol is between the applications.
The best thing that the client part in openssl would check is whether
the servername is syntactically a fqdn, and the server could validate
this. well, then someone will ask about validation of I18N names
OpenSSL does not check such things AFAIK. It is not an application
level firewall. For example, there is no code to check whether a
hostname matches a certificate, etc.
Regards
Peter
Kaspar
[1]
http://mail-archives.apache.org/mod_mbox/httpd-dev/200910.mbox/%3C4AE47BB6.3030009%40velox.ch%3E
[2]
http://mail-archives.apache.org/mod_mbox/httpd-dev/200910.mbox/%3c4ae4bfe0.6010...@edelweb.fr%3E
