On Thu, Jul 11, 2024 at 03:32:20AM +0200, Mike Fischer wrote:
> Any progress on this?
> 
> I just updated a server to apache-httpd-2.4.61 (from apache-httpd-2.4.59) and initial testing seems to indicate that this issue is now fixed? At least I was not able to trigger the bug on a host that has several VirtualHosts on the same IP/port combination with different certificates.
> 
> It would be great to have this confirmed (or disproved if that is the case) so that the partial workarounds we have put into place to avoid this issue can be reverted back to a more standard configuration.
> 
> OpenBSD 7.5 amd64

current or stable?

Shortly after the 7.5 release was cut, the extension handling was
changed in such a way that apache-httpd will no longer run into this
issue. This change is not in stable and won't be backported.

If your servers are running on current, then this problem should be
addressed. Otherwise, unless you find that apache-httpd 2.4.61 was
changed to stop relying on this undocumented behavior (I haven't
checked), I would recommend to leave the workarounds in place until
you update to OpenBSD 7.6.

> Tested with Brave Browser Version 1.67.123 Chromium: 126.0.6478.126 (Official Build) (arm64)

I'm not sure if the randomization that exposes this problem is enabled
on all builds on all platforms. You might have gotten lucky.