You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2015/06/11 17:26:33 UTC
[Bug 58026] New: return 421 status code when SNI and Host: header do
not match
https://bz.apache.org/bugzilla/show_bug.cgi?id=58026
Bug ID: 58026
Summary: return 421 status code when SNI and Host: header do
not match
Product: Apache httpd-2
Version: 2.4.12
Hardware: Macintosh
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: stefan@eissing.org
Created attachment 32810
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32810&action=edit
sni status code patch for 2.4.x
HTTP/2 clients will aggressively reuse TLS connections when certificates have
matching alt names or wildcards and hosts resolve to the same IP address.
mod_ssl is refusing sich requests with status 400. HTTP/2 introduced the new
421 (Misdirected Request) which clients will recognize and have them open a new
connection with correct SNI name for it.
If the 400 behaviour is left unchanged, h2 clients will fail connections to
vhosts where another connection already exists (and certs allow reuse).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58026] return 421 status code when SNI and Host: header do not
match
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58026
Stefan Eissing <st...@eissing.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #5 from Stefan Eissing <st...@eissing.org> ---
Resolved in 2.4.17
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58026] return 421 status code when SNI and Host: header do not
match
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58026
--- Comment #2 from Stefan Eissing <st...@eissing.org> ---
No that I think of it, you are right. The close conn part needs to be dropped.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58026] return 421 status code when SNI and Host: header do not
match
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58026
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #1 from Yann Ylavic <yl...@gmail.com> ---
The patch looks good, though I'm not sure httpd should close/drop the
connection after returning 421.
Can't the client still reuse it for further requests for the same host?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58026] return 421 status code when SNI and Host: header do not
match
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58026
--- Comment #4 from Yann Ylavic <yl...@gmail.com> ---
Committed in r1685069.
This will still return 400 for the first request on the connection, thus HTTP/1
clients should probably not be affected, and HTTP/2 ones should also do the
right thing for it...
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58026] return 421 status code when SNI and Host: header do not
match
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58026
Stefan Eissing <st...@eissing.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #32810|0 |1
is obsolete| |
--- Comment #3 from Stefan Eissing <st...@eissing.org> ---
Created attachment 32812
--> https://bz.apache.org/bugzilla/attachment.cgi?id=32812&action=edit
v2 of 421 Misdirected Request patch
version2 by removing the connection_close definition
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 58026] return 421 status code when SNI and Host: header do not
match
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58026
Yann Ylavic <yl...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ylavic.dev@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org