[Bug 57810] Should apache ignore difference in trailing dot between SNI and HTTP requests?
https://bz.apache.org/bugzilla/show_bug.cgi?id=57810 Yann Ylavicchanged: What|Removed |Added Resolution|--- |DUPLICATE Status|NEW |RESOLVED --- Comment #3 from Yann Ylavic --- *** This bug has been marked as a duplicate of bug 58007 *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 57810] Should apache ignore difference in trailing dot between SNI and HTTP requests?
https://bz.apache.org/bugzilla/show_bug.cgi?id=57810 --- Comment #2 from Fred Morris consult...@m3047.net --- (In reply to Jean-Luc Duprat from comment #1) [...] [ssl:error] [pid 22158] AH02032: Hostname example.com. provided via SNI and hostname example.com provided via HTTP are different [...] Since the URL is generated by service discovery I have no control over it. The clients also behave consistently. The only way to get this to work would be for apache to allow for this minor difference between the SNI and HTTP hostnames. I believe that www.example.com and www.example.com. are equivalent. Apache already treats vhosts this way, it SHOULD (in the jargon of RFCs) ignore trailing dots for FQDN equivalence. My research indicates (most, in fact) clients are in error, because the SNI specification at least (not HTTP unfortunately) unequivocally calls for the trailing dot to be dropped. See bug 58007. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org
[Bug 57810] Should apache ignore difference in trailing dot between SNI and HTTP requests?
https://bz.apache.org/bugzilla/show_bug.cgi?id=57810 Jean-Luc Duprat j...@acm.org changed: What|Removed |Added OS|Mac OS X 10.1 |Linux --- Comment #1 from Jean-Luc Duprat j...@acm.org --- I am trying to access a URL via https through both the regular URL and one that ends with a trailing dot: example.com example.com. The reason the second case matters is URLs reported by DNS-SD have the trailing dot appended. See http://www.dns-sd.org/trailingdotsindomainnames.html I have a certificate that contains the the subject's common name as CN=example.com and the following SANs: X509v3 Subject Alternative Name: DNS:example.com, DNS:www.example.com, DNS:example.com., DNS:www.example.com. I am using Name-based Virtual Host Support, with the virtual host section looking like so: VirtualHost *:443 Options None ServerName example.com ServerAlias www.example.com ServerAlias example.com. ServerAlias www.example.com. [...] /VirtualHost CSP and HSTS are disabled. When trying to connect to example.com. I get the following error: [ssl:error] [pid 22158] AH02032: Hostname example.com. provided via SNI and hostname example.com provided via HTTP are different All desktop browsers I've tried (Firefox, Chrome, Safari) drop the trailing dot on the the name for the HTTP request. Since the URL is generated by service discovery I have no control over it. The clients also behave consistently. The only way to get this to work would be for apache to allow for this minor difference between the SNI and HTTP hostnames. Would such a patch be considered for inclusion? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org