Von: Yann Ylavic [mailto:ylavic....@gmail.com]
Gesendet: Freitag, 13. Dezember 2013 13:09
An: httpd
Betreff: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests

On Fri, Dec 13, 2013 at 10:46 AM, Ruediger Pluem 
<rpl...@apache.org<mailto:rpl...@apache.org>> wrote:

William A. Rowe Jr. wrote:>
> The SSL settings come from first the IP/port search, then the resolved
> SNI hostname's vhost, and finally from the corresponding Host: named
> vhost where applicable.  Of course the Host: vhost config may override
> the SNI hostname vhost, that's the correct httpd behavior, just as
> changing SSL options within a <location > block overrides the vhost.
>
>
But these SSL options are not applied later. So if you have two virtual hosts:

NameVirtualHost someip:443

<virtualhost someip:443>
Servername strong
SSLCiphersuite something strong
</virtualhost>

<virtualhost someip:443>
Servername weak
SSLCiphersuite something weak
</virtualhost>

Then you would be able to connect to the strong virtual host with a weak cipher 
just by supplying 'weak' in SNI and
'strong' in the host header.

Without SNI (in 2.2.x, I can't tell for 2.4), doesn't this lead to a 
(secure/full) renegotiation?

IMHO no. This is the problem.

Regards

Rüdiger

Reply via email to