I've opened a PR with a proposed new directive SSLVHostSNIPolicy to resolve the issues many users are having migrating to 2.4.65. https://github.com/apache/httpd/pull/561
This both: a) allows users to select a weaker vhost compatibility mode b) strengthens the default and allows a stronger mode selection Usage: SSLVHostSNIPolicy <policy> where policy must be one of: * strict => fail for any vhost mismatch * authonly => fail only for client verification/auth differences * secure => fail as authonly plus ciphersuite, protocol, keypair differences * insecure => allow everything "secure" is the proposed default which keeps current (2.4.65) behaviour. I've added checking for any difference in use of SSLOpenSSLConfCmd to "authonly" since the semantics of those directives are unknown to mod_ssl. But open to other opinions on that. Regards, Joe
