You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2013/12/11 23:40:10 UTC
[Bug 54656] SNI and SSLProxyCheckPeerCN based on "connection"
instead of "request" hostname
https://issues.apache.org/bugzilla/show_bug.cgi?id=54656
William A. Rowe Jr. <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #3 from William A. Rowe Jr. <wr...@apache.org> ---
Earlier guidance on dev@httpd was misguided.
A similar problem is present for all forward-proxied requests.
The SNI defined hostname can only be used to help route the correct
certificate.
The SNI definition of a hostname is independent of the definition of the
HTTP Host: field and any assumptions that they would be identical is misguided.
The SNI hostname may not be an IP-address, while the Host: header may be.
The SNI hostname is the next-hop hostname (without a port), while the Host:
header
is the hostname (including optional port) component of the target URI. In the
forward proxy case, these always differ.
The SNI logic further fails to test alt-subject names, wildcard cn's and a host
of other design errors.
I expect your report has equal validity in light of these other design flaws
and
I'm evaluating this within the context of the current mis-implementation.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org