On 04/12/2018 09:28 AM, Joe Orton wrote: > On Wed, Apr 11, 2018 at 10:24:23PM +0200, Yann Ylavic wrote: >> On Wed, Apr 11, 2018 at 7:54 PM, Joe Orton <[email protected]> wrote: >>> Yes, exactly - and for affected configs the defining feature is the >>> absence of SSL* in the second vhost. The non-SSL config still takes >>> effect as before. >> >> Does it still work with SNI sent by the client (i.e. when negotiation >> should be based on the second NVH's SSL config)? > > Not sure how to test nbvh selection based off SNI rather than Host:? > I'm testing with: > > ErrorDocument 404 "default-ssl\n" > > in the default SSL vhost for :8043 followed by: > > <VirtualHost *:8043> > ServerName whatever.localdomain:8043 > ErrorDocument 404 "non-default\n" > </VirtualHost> > > I've also changed the logging to log %{HTTPS}e and %{SSL_TLS_SNI}e. And > so: > > $ curl -k https://localhost.localdomain:8043/agag > default-ssl > $ curl -k https://whatever.localdomain:8043/agag > non-default > > ... this works. Also I can still trigger the 421 if SNI name & Host are > different. > > But logged is: > > ::1 - - [12/Apr/2018:08:11:12 +0100] "GET /agag HTTP/1.1" 404 12 HTTPS=on > SNI=localhost.localdomain > 127.0.0.1 - - [12/Apr/2018:08:11:15 +0100] "GET /agag HTTP/1.1" 404 12 > HTTPS=- SNI=- > > Now mod_ssl only sees the "off" SSLSrvConfigRec in the second vhost so > the logging is wrong.
What does the same test result in with 2.4.29? Regards RĂ¼diger
