You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/06/21 15:50:01 UTC

[Bug 50227] Option to fail SSL handshake for diverted SNI connections

https://bz.apache.org/bugzilla/show_bug.cgi?id=50227

--- Comment #1 from felipe@felipegasper.com ---
SNI is ubiquitous among HTTP clients nowadays.

IMO the default behavior should be analogous to:

------------
if ($sni = sni_request()) {
    $vhost = get_vhost_for_sni($sni);

    if (!$vhost) {
        throw 'unrecognized_name';
    }
}
else if (require_client_sni()) {
    throw $some_other_error;
}
else {
    $vhost = get_first_vhost_on_ip($ip);
}
------------

If the request is invalid at the TLS level, it makes sense to fail that request
without passing it down to HTTP.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org