You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/12/11 23:40:10 UTC

[Bug 54656] SNI and SSLProxyCheckPeerCN based on "connection" instead of "request" hostname

https://issues.apache.org/bugzilla/show_bug.cgi?id=54656

William A. Rowe Jr. <wr...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #3 from William A. Rowe Jr. <wr...@apache.org> ---
Earlier guidance on dev@httpd was misguided.

A similar problem is present for all forward-proxied requests.

The SNI defined hostname can only be used to help route the correct
certificate.
The SNI definition of a hostname is independent of the definition of the 
HTTP Host: field and any assumptions that they would be identical is misguided.

The SNI hostname may not be an IP-address, while the Host: header may be.

The SNI hostname is the next-hop hostname (without a port), while the Host:
header 
is the hostname (including optional port) component of the target URI.  In the
forward proxy case, these always differ.

The SNI logic further fails to test alt-subject names, wildcard cn's and a host 
of other design errors.

I expect your report has equal validity in light of these other design flaws
and
I'm evaluating this within the context of the current mis-implementation.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org