DO NOT REPLY [Bug 43218] Wrong cert used for vhost if ServerName is same

[bu...@apache.org]

https://issues.apache.org/bugzilla/show_bug.cgi?id=43218

--- Comment #5 from Joe Orton <jo...@redhat.com> 2011-02-12 10:10:39 EST ---
This issue is a side-effect of some mod_ssl internals: mod_ssl caches the
private key and certificate across restarts, so the passphrase for an encrypted
privkey is not required after first startup.  (Actually I don't know why it
caches certs as well as privkeys, it seems unnecessary.)  This dates way back
in mod_ssl history and predates SNI support.

Internally two hash tables "servername -> decoded cert" and "servername ->
decoded key" are kept, so it is here that the ServerName uniqueness matters.

It is certainly correct to be including the ports in the ServerName directive,
and arguably a configuration error to not do so.  If this leads to any
confusion with proxy config perhaps the UseCanonical* settings also need
tweaking.

There is no obvious way to "fix" this situation; I think ideally it would be
caught as a configuration error instead, rather than being silently accepted
yet acting in a surprising fashion.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org