Von: Yann Ylavic [mailto:ylavic....@gmail.com] Gesendet: Freitag, 13. Dezember 2013 13:09 An: httpd Betreff: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
On Fri, Dec 13, 2013 at 10:46 AM, Ruediger Pluem <rpl...@apache.org<mailto:rpl...@apache.org>> wrote: William A. Rowe Jr. wrote:> > The SSL settings come from first the IP/port search, then the resolved > SNI hostname's vhost, and finally from the corresponding Host: named > vhost where applicable. Of course the Host: vhost config may override > the SNI hostname vhost, that's the correct httpd behavior, just as > changing SSL options within a <location > block overrides the vhost. > > But these SSL options are not applied later. So if you have two virtual hosts: NameVirtualHost someip:443 <virtualhost someip:443> Servername strong SSLCiphersuite something strong </virtualhost> <virtualhost someip:443> Servername weak SSLCiphersuite something weak </virtualhost> Then you would be able to connect to the strong virtual host with a weak cipher just by supplying 'weak' in SNI and 'strong' in the host header. Without SNI (in 2.2.x, I can't tell for 2.4), doesn't this lead to a (secure/full) renegotiation? IMHO no. This is the problem. Regards Rüdiger
