Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-05-30 19:55:04 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

Only enforces SNI matching if ClientAuth is enabled (#3096)

Browse Source
This commit is contained in:
Daniel Santos 2020-02-27 19:37:19 -07:00 committed by GitHub
parent 4fbdd23283
commit fa7322365a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
caddyhttp/httpserver/server.go
View File

@ -448,6 +448,7 @@ func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) (int, error)
// sites that rely on TLS ClientAuth sharing a port with // sites that rely on TLS ClientAuth sharing a port with
// sites that do not - if mismatched, close the connection // sites that do not - if mismatched, close the connection
if !vhost.TLS.InsecureDisableSNIMatching && r.TLS != nil && if !vhost.TLS.InsecureDisableSNIMatching && r.TLS != nil &&
vhost.TLS.ClientAuth != tls.NoClientCert &&
strings.ToLower(r.TLS.ServerName) != strings.ToLower(hostname) { strings.ToLower(r.TLS.ServerName) != strings.ToLower(hostname) {
r.Close = true r.Close = true
log.Printf("[ERROR] %s - strict host matching: SNI (%s) and HTTP Host (%s) values differ", log.Printf("[ERROR] %s - strict host matching: SNI (%s) and HTTP Host (%s) values differ",