On Fri, Apr 13, 2018 at 1:11 PM, Joe Orton <jor...@redhat.com> wrote:
> TL;DR:
> 1. my head hurts
> 2. I think my patch is OK
> Anyone read this far?

Yep, I was about to write almost the same long one too :)

One thing to add maybe.
At runtime, *with SNI*, when ssl_callback_ServerNameIndication() gets
called and ap_vhost_iterate_given_conn()::ssl_find_vhost() reaches the
second nvh (beta, with no SSL) corresponding to the SNI, we do
SSL_set_SSL_CTX to switch the SSL's SSL_CTX from
SSLSrvConfig(alpha)->ssl_ctx (pre-set at ssl_hook_pre_connection()
time) to SSLSrvConfig(beta)->ssl_ctx -- sorry for the overlong
However here SSLSrvConfig(beta)->ssl_ctx is NULL (No SSL* directive
configured), so SSL_set_SSL_CTX(ssl, NULL) ends up preserving alpha's
and thus we continue with the context of alpha to handle the

This doesn't look right to me, maybe it is for compatibility on 2.4.x,
but I feel that we should bail out there since beta has really nothing
to do with accepting SSL connections if not explicitely configured to
(is the port in VirtualHost a good criteria? no own SSLCertificate
really? browsers will complain any with no wildcard magic).


Reply via email to