httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <>
Subject [users@httpd] SSL, SNI and SSLStrictSNIVHostCheck
Date Fri, 04 Jan 2013 09:33:14 GMT
Is the directive
     SSLStrictSNIVHostCheck On
meant to block connections  to a virtual host if the connecting client 
uses an IP literal as URL ? RFC 6066 states that
     Literal IPv4 and IPv6 addresses are not permitted in "HostName".
since a SNI doesn't make sense at all for an IP literal and this 
( bug report/patch 
for FF does exactly what I would expect for such a client request, which 
is to not send any SNI at all.

The docs don't mention this corner case 
and I think the "issue" traces to
where there is no check if the SNI is necessary at all, only it if present:
     if ((servername = SSL_get_servername(ssl, 
TLSEXT_NAMETYPE_host_name))) {

So if this is not working as intended I suggest adding an IP literal 
detection at this place and if it is working as intended I would like to 
know the reasoning behind it.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message