osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 61081] per-domain SNI (to override per-vhost SNI)


https://bz.apache.org/bugzilla/show_bug.cgi?id=61081

--- Comment #3 from Eric Covener <covener@xxxxxxxxx> ---
(In reply to felipe from comment #2)
> (In reply to Eric Covener from comment #1)
> > (In reply to felipe from comment #0)
> > > Currently there is no way to associate an SSL certificate with a specific
> > > FQDN unless that FQDN is the only one on its virtual host.
> > 
> > Is this true? The code looks like it scans ServerAlias entries
> > (ssl_util_vhost_matches) to use the SNI name to map to an SSL vhost config.
> 
> This associates the certificate with the vhost, not with an individual FQDN.
> So all FQDNs on the vhost have to share a single certificate.
> 
> What I’m proposing is a means to decouple the vhost logic from SNI matching:
> if there’s a matching NameBasedSNI entry for the cert/key, then use that;
> otherwise, do business as usual.

I see, I think that is reasonable, but I would suggest avoiding new
container/section construct for it.  In a proprietary SSL plugin, that uses
named certificates rather than paths, it was just repeated
"SSLSNIMap hostname label".

The interaction with current ssl-vhost-config selection by SNI would need to be
sorted out too.  Documenting the status quo would be a good start!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx