--- httpd-2.4.7/modules/ssl/ssl_engine_config.c.sninotreq +++ httpd-2.4.7/modules/ssl/ssl_engine_config.c @@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_creat mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc)); mc->pPool = pool; mc->bFixed = FALSE; + mc->sni_required = FALSE; /* * initialize per-module configuration --- httpd-2.4.7/modules/ssl/ssl_engine_init.c.sninotreq +++ httpd-2.4.7/modules/ssl/ssl_engine_init.c @@ -234,7 +234,7 @@ int ssl_init_Module(apr_pool_t *p, apr_p /* * Configuration consistency checks */ - ssl_init_CheckServers(base_server, ptemp); + ssl_init_CheckServers(mc, base_server, ptemp); /* * Announce mod_ssl and SSL library in HTTP Server field @@ -1327,7 +1327,7 @@ void ssl_init_ConfigureServer(server_rec } } -void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) +void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p) { server_rec *s, *ps; SSLSrvConfigRec *sc; @@ -1409,6 +1409,7 @@ void ssl_init_CheckServers(server_rec *b } if (conflict) { + mc->sni_required = TRUE; #ifndef HAVE_TLSEXT ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) "Init: You should not use name-based " --- httpd-2.4.7/modules/ssl/ssl_engine_kernel.c.sninotreq +++ httpd-2.4.7/modules/ssl/ssl_engine_kernel.c @@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r) } #ifdef HAVE_TLSEXT if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { + if (myModConfig(r->server)->sni_required) { char *host, *scope_id; apr_port_t port; apr_status_t rv; @@ -205,6 +206,7 @@ int ssl_hook_ReadReq(request_rec *r) " virtual host"); return HTTP_FORBIDDEN; } + } #endif SSL_set_app_data2(ssl, r); --- httpd-2.4.7/modules/ssl/ssl_private.h.sninotreq +++ httpd-2.4.7/modules/ssl/ssl_private.h @@ -533,6 +533,7 @@ typedef struct { struct { void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; } rCtx; + BOOL sni_required; } SSLModConfigRec; /** Structure representing configured filenames for certs and keys for @@ -778,7 +779,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *c int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); void ssl_init_Engine(server_rec *, apr_pool_t *); void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); -void ssl_init_CheckServers(server_rec *, apr_pool_t *); +void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *); STACK_OF(X509_NAME) *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); void ssl_init_Child(apr_pool_t *, server_rec *);