@@ -198,19 +198,8 @@ int ssl_hook_ReadReq(request_rec *r)
198198 AP_DEBUG_ASSERT (hssc );
199199
200200 if ((servername = SSL_get_servername (ssl , TLSEXT_NAMETYPE_host_name ))) {
201- /*
202- * The SNI extension supplied a hostname. So don't accept requests
203- * with either no hostname or a hostname that selected a different
204- * virtual host than the one used for the handshake, causing
205- * different SSL parameters to be applied, such as SSLProtocol,
206- * SSLCACertificateFile/Path and SSLCADNRequestFile/Path which
207- * cannot be renegotiated (SSLCA* due to current limitations in
208- * OpenSSL, see:
209- * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%[email protected] %3E 210- * and
211- * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E
212- * )
213- */
201+ /* The SNI extension supplied a hostname; reject any
202+ * request without a Host header. */
214203 if (!r -> hostname ) {
215204 ap_log_rerror (APLOG_MARK , APLOG_ERR , 0 , r , APLOGNO (02031 )
216205 "Hostname %s provided via SNI, but no hostname"
@@ -237,7 +226,11 @@ int ssl_hook_ReadReq(request_rec *r)
237226 "which is required to access this server.<br />\n" );
238227 return HTTP_FORBIDDEN ;
239228 }
240- /* Enforce SSL SNI vhost compatibility policy. */
229+
230+ /* Enforce SSL SNI vhost compatibility policy: the virtual
231+ * host selected for the connection (based on the SNI
232+ * extension) must have a "compatible" SSL configuration with
233+ * the one selected based on the Host: header. */
241234 if (!ssl_check_vhost_sni_policy (sc , hssc )) {
242235 ap_log_rerror (APLOG_MARK , APLOG_ERR , 0 , r , APLOGNO (02032 )
243236 "Hostname %s %s and hostname %s provided"
0 commit comments