From: Joe Orton Date: Thu, 13 Nov 2025 08:46:23 +0000 (+0000) Subject: * modules/ssl/ssl_engine_kernel.c (ssl_hook_ReadReq): Adjust comments X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2c0400df47b2128d4905fd1251e63e5d0fc03b4e;p=thirdparty%2Fapache%2Fhttpd.git * modules/ssl/ssl_engine_kernel.c (ssl_hook_ReadReq): Adjust comments to line up with the current code better; no functional change. [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1929704 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 8075f47e03..513923c87b 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -198,19 +198,8 @@ int ssl_hook_ReadReq(request_rec *r) AP_DEBUG_ASSERT(hssc); if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { - /* - * The SNI extension supplied a hostname. So don't accept requests - * with either no hostname or a hostname that selected a different - * virtual host than the one used for the handshake, causing - * different SSL parameters to be applied, such as SSLProtocol, - * SSLCACertificateFile/Path and SSLCADNRequestFile/Path which - * cannot be renegotiated (SSLCA* due to current limitations in - * OpenSSL, see: - * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3C48592955.2090303@velox.ch%3E - * and - * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E - * ) - */ + /* The SNI extension supplied a hostname; reject any + * request without a Host header. */ if (!r->hostname) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02031) "Hostname %s provided via SNI, but no hostname" @@ -237,7 +226,11 @@ int ssl_hook_ReadReq(request_rec *r) "which is required to access this server.
\n"); return HTTP_FORBIDDEN; } - /* Enforce SSL SNI vhost compatibility policy. */ + + /* Enforce SSL SNI vhost compatibility policy: the virtual + * host selected for the connection (based on the SNI + * extension) must have a "compatible" SSL configuration with + * the one selected based on the Host: header. */ if (!ssl_check_vhost_sni_policy(sc, hssc)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032) "Hostname %s %s and hostname %s provided"