Re: https vhosts

2018-05-25 Thread William A Rowe Jr
First off, I need to call this out to point you to folks who have walked this path before; https://bz.apache.org/bugzilla/show_bug.cgi?id=56241 That said, our "radically pedantic" switch with HttpProtocolOptions Strict inflicts such changes on users. Some will be unhappy, but if they serve the

Re: https vhosts

2018-05-25 Thread Stefan Eissing
> Am 24.05.2018 um 14:22 schrieb Yann Ylavic : > > On Thu, May 24, 2018 at 2:09 PM, Eric Covener wrote: >> >> Thinking about base server and how scanners report it the "vulnerability"... >> >> AllowUnmatchedHost[name]? >> RejectUnknownHost[name]? > >

Re: https vhosts

2018-05-24 Thread Yann Ylavic
On Thu, May 24, 2018 at 2:09 PM, Eric Covener wrote: > > Thinking about base server and how scanners report it the "vulnerability"... > > AllowUnmatchedHost[name]? > RejectUnknownHost[name]? The one or the other is probably a better name than UseDefaultVHost, it allows to

Re: https vhosts

2018-05-24 Thread Yann Ylavic
On Thu, May 24, 2018 at 2:08 PM, Stefan Eissing wrote: > > >> Am 24.05.2018 um 14:07 schrieb Yann Ylavic : >> >> On Thu, May 24, 2018 at 1:57 PM, Stefan Eissing >> wrote: >>> Am 24.05.2018 um 13:51 schrieb

Re: https vhosts

2018-05-24 Thread Eric Covener
On Thu, May 24, 2018 at 7:51 AM, Yann Ylavic wrote: > On Thu, May 24, 2018 at 1:44 PM, Eric Covener wrote: >> On Thu, May 24, 2018 at 7:34 AM, Stefan Eissing >> wrote: >>> >>> Am 24.05.2018 um 13:28 schrieb Eric Covener

Re: https vhosts

2018-05-24 Thread Stefan Eissing
> Am 24.05.2018 um 14:07 schrieb Yann Ylavic : > > On Thu, May 24, 2018 at 1:57 PM, Stefan Eissing > wrote: >> >>> Am 24.05.2018 um 13:51 schrieb Yann Ylavic : >>> >>> That'd work (and looks better than Stefan's SNI

Re: https vhosts

2018-05-24 Thread Yann Ylavic
On Thu, May 24, 2018 at 1:57 PM, Stefan Eissing wrote: > >> Am 24.05.2018 um 13:51 schrieb Yann Ylavic : >> >> That'd work (and looks better than Stefan's SNI oriented proposal), >> but I wish we had something working for non-SSL vhosts too, >>

Re: https vhosts

2018-05-24 Thread Stefan Eissing
> Am 24.05.2018 um 13:51 schrieb Yann Ylavic : > > On Thu, May 24, 2018 at 1:44 PM, Eric Covener wrote: >> On Thu, May 24, 2018 at 7:34 AM, Stefan Eissing >> wrote: >>> >>> Am 24.05.2018 um 13:28 schrieb Eric

Re: https vhosts

2018-05-24 Thread Stefan Eissing
Personally, I am looking for an option where I do not have to keep "old" vhosts around. Also, I would like to avoid that someone points "beastlovers.net" to my ip address and people get the greenbytes.de homepage when follwing some spam/phishing mails (this is a theoretical thread model, rest

Re: https vhosts

2018-05-24 Thread Stefan Eissing
> Am 24.05.2018 um 13:43 schrieb Stefan Priebe - Profihost AG > : > > Hi Stefan, > > as i've tried todo nearly the same some weeks ago i can tell you what i did. :-) In the era of DGSVO, some sites simply wish to disappear silently... > Comment inline. > > Am

Re: https vhosts

2018-05-24 Thread Yann Ylavic
On Thu, May 24, 2018 at 1:44 PM, Eric Covener wrote: > On Thu, May 24, 2018 at 7:34 AM, Stefan Eissing > wrote: >> >> >>> Am 24.05.2018 um 13:28 schrieb Eric Covener : >>> >>> On Thu, May 24, 2018 at 7:23 AM, Stefan Eissing >>>

Re: https vhosts

2018-05-24 Thread Barry Pollard
> On 24 May 2018, at 12:44, Eric Covener wrote: > > On Thu, May 24, 2018 at 7:34 AM, Stefan Eissing > wrote: >> >> >>> Am 24.05.2018 um 13:28 schrieb Eric Covener : >>> >>> On Thu, May 24, 2018 at 7:23 AM, Stefan Eissing

Re: https vhosts

2018-05-24 Thread Eric Covener
On Thu, May 24, 2018 at 7:34 AM, Stefan Eissing wrote: > > >> Am 24.05.2018 um 13:28 schrieb Eric Covener : >> >> On Thu, May 24, 2018 at 7:23 AM, Stefan Eissing >> wrote: >>> Do we have a configuration option to

Re: https vhosts

2018-05-24 Thread Stefan Priebe - Profihost AG
Hi Stefan, as i've tried todo nearly the same some weeks ago i can tell you what i did. Comment inline. Am 24.05.2018 um 13:34 schrieb Stefan Eissing: > So, we are lacking an option here to abort SSL connections without a vhost > match, it seems. Something like > > SSLStrictSNIVHostCheck

Re: https vhosts

2018-05-24 Thread Stefan Eissing
> Am 24.05.2018 um 13:28 schrieb Eric Covener : > > On Thu, May 24, 2018 at 7:23 AM, Stefan Eissing > wrote: >> Do we have a configuration option to allow https://hostname/ only to >> matching vhosts without any default fallback? >> >>

Re: https vhosts

2018-05-24 Thread Eric Covener
On Thu, May 24, 2018 at 7:23 AM, Stefan Eissing wrote: > Do we have a configuration option to allow https://hostname/ only to matching > vhosts without any default fallback? > > Scenario: > - a site with vhost A and B > - vhost B is taken out, DNS still points there

https vhosts

2018-05-24 Thread Stefan Eissing
Do we have a configuration option to allow https://hostname/ only to matching vhosts without any default fallback? Scenario: - a site with vhost A and B - vhost B is taken out, DNS still points there (for a while) - browsers opening https://B/ will get the certificate of A and complain I do