On Wed, Jun 10, 2015 at 5:48 PM, Yann Ylavic <ylavic....@gmail.com> wrote: > On Wed, Jun 10, 2015 at 5:30 PM, Yann Ylavic <ylavic....@gmail.com> wrote: >> On Wed, Jun 10, 2015 at 4:41 PM, Stefan Eissing >> <stefan.eiss...@greenbytes.de> wrote: >>> Today I had the second user which got "400 Bad Request" when using mod_h2 >>> with a wildcard certificate. So, I was thinking how to possibly fix the >>> code in mod_ssl. >>> >>> The mostly harmless approach is the addition of a configuration directive >>> that admins may use to explicitly allow multiple host requests on a SNI >>> connection. Which would mean that both the config of the SNI host and the >>> config of the request host have "SSLSNIVHostMatch off". >>> >>> The case where no Host header is provided or no SNI is used I propose to >>> leave unaffected, e.g. continue to fail. >>> >>> Any thoughts? >> >> Maybe matching against the ServerName and ServerAlias(es) instead of >> the Host header, so that the admin can still have a control on it... > > E.g. by using ap_matches_request_vhost(r, SNI, 0).
Or likewise with the SAN (SubjectAltName(s) of the server certificate). => SSLSNIHostMatch on/vhost/SAN and possibly off (I'd prefer we had not to...).
