Skip to content

2.4.x mod_ssl: add SSLVHostSNIPolicy directive #562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: 2.4.x
Choose a base branch
from
Open

2.4.x mod_ssl: add SSLVHostSNIPolicy directive #562

wants to merge 3 commits into from
+281 −109

Conversation

@notroj
Copy link
Collaborator

@notroj notroj commented Oct 28, 2025

No description provided.

@notroj notroj force-pushed the 2.4.x-ssl-vhost-sni-policy branch from da772ca to 262c206 Compare October 28, 2025 14:19
notroj and others added 3 commits October 28, 2025 14:35
@notroj
mod_ssl: Add SSLVHostSNIPolicy directive to set the compatibility
29a575d 
level required for VirtualHost matching.

For "secure" and "authonly" modes, a hash of the policy-relevant vhost
configuration is created and stored in the post_config hooks, reducing
the runtime code complexity (and overhead).

* modules/ssl/ssl_engine_kernel.c (ssl_check_vhost_sni_policy): New
  function, replacing ssl_server_compatible et al.

* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLVHostSNIPolicy): New
  function.

* modules/ssl/ssl_engine_init.c (md5_strarray_cmp, md5_strarray_hash,
  hash_sni_policy_pk, hash_sni_policy_auth, create_sni_policy_hash):
  New functions.
  (ssl_init_Module): Invoke create_sni_policy_hash to store the hash
  for every SSLSrvConfigRec.

* modules/ssl/ssl_private.h (SSLModConfigRec): Add snivh_policy field.
  (SSLSrvConfigRec): Add sni_policy_hash field.

PR: 69743
@notroj
Merge docs changes from r1929308
a77c8ae
@notroj
Merge r1929333, r1929361 from trunk (English only):
14ce1b7 
misplaced tags in english version and fr doc XML file update.

Update docs on SSLVhostSNIPolicy to cover the impact on
non-SNI connections. Reorder the table for clarity.

Submitted by: lgentis, Aaron Ogburn <aogburn redhat.com>, jorton
@notroj notroj force-pushed the 2.4.x-ssl-vhost-sni-policy branch from 262c206 to 14ce1b7 Compare October 28, 2025 14:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@notroj