On Wed, Apr 16, 2014 at 2:41 PM, Plüm, Rüdiger, Vodafone Group <[email protected]> wrote: > >> -----Original Message----- >> From: Yann Ylavic [mailto:[email protected]] >> This base_server directive would help prevent vhost misuse at the >> source, whatever the vhosts' configs are, and however we relax the >> Host vs SNI check. > > I don't think so. The SNI provided hostname and the HTTP host header still > need to match.
Which can't be if no vhost is defined for that SNI, the option would not break that (it's more a hardening feature). I'm not arguing we should relax the check (now), but when/if everything can be done/renegociated at hook_Access time, hook_ReadReq will have to let it go, still the check at SSL (alert) level is relevant IMHO. > > Regards > > Rüdiger >
