From d76573e7608cbdeab6c6a658c427d900917bf955 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 7 Jul 2025 11:51:57 +0000 Subject: [PATCH] update SNI validation git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927035 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_kernel.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 134fb17afb..a92a765d29 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -370,19 +370,6 @@ int ssl_hook_ReadReq(request_rec *r) " provided in HTTP request", servername); return HTTP_BAD_REQUEST; } - if (r->server != handshakeserver - && !ssl_server_compatible(sslconn->server, r->server)) { - /* - * The request does not select the virtual host that was - * selected by the SNI and its SSL parameters are different - */ - - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032) - "Hostname %s provided via SNI and hostname %s provided" - " via HTTP have no compatible SSL setup", - servername, r->hostname); - return HTTP_MISDIRECTED_REQUEST; - } } else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE) || hssc->strict_sni_vhost_check == SSL_ENABLED_TRUE) @@ -403,6 +390,21 @@ int ssl_hook_ReadReq(request_rec *r) "which is required to access this server.
\n"); return HTTP_FORBIDDEN; } + if (r->server != handshakeserver + && !ssl_server_compatible(sslconn->server, r->server)) { + /* + * The request does not select the virtual host that was + * selected for handshaking and its SSL parameters are different + */ + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032) + "Hostname %s %s and hostname %s provided" + " via HTTP have no compatible SSL setup", + servername ? servername : handshakeserver->server_hostname, + servername ? "provided via SNI" : "(default host as no SNI was provided)", + r->hostname); + return HTTP_MISDIRECTED_REQUEST; + } } #endif modssl_set_app_data2(ssl, r);