Bug#771199: apache2: SNI hostname comparison against Host header is not case-insensitive

To: submit@bugs.debian.org
Subject: Bug#771199: apache2: SNI hostname comparison against Host header is not case-insensitive
From: Rodrigo Campos <rodrigo@sdfg.com.ar>
Date: Thu, 27 Nov 2014 14:53:23 +0000
Message-id: <[🔎] 20141127145322.GA15840@sdfg.com.ar>
Reply-to: Rodrigo Campos <rodrigo@sdfg.com.ar>, 771199@bugs.debian.org

Package: apache2
Version: 2.2.22-13+deb7u3
Severity: normal

Dear Maintainer,

apache2 on debian using SSL returns error 400 when using ssl vhosts with SNI and
some capital letters. A similar bug is reported on Ubuntu[1] with instructions
on how to reproduce. I can confirm it happens when hosting several ssl sites on
debian stable too. And take into account, as the upstream bug[2] says, that RFC
4366 specifies that all the URI comparison shall be case-insensitive.

Also, as the ubuntu bug says, there is a bug upstream[2] and a fix for 2.2 is
commited. The fix seems to be applied in Ubuntu without any issue and the patch
seems REALLY simple, you can see it here[3].

Please apply the patch, as several production sites I'm running now are failing
because of this and it affects all SSL+SNI debian users using apache.




Thanks a lot,
Rodrigo


[1]: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1298273
[2]: https://issues.apache.org/bugzilla/show_bug.cgi?id=49491
[3]: https://svn.apache.org/viewvc?view=revision&revision=r1515565

Reply to:

Prev by Date: Processed: tagging 770421
Previous by thread: Processed: tagging 770421
Index(es):
- Date
- Thread