From: Mike Fischer Subject: Re: [fix] www/apache-httpd SNI problem To: ports@openbsd.org Date: Thu, 11 Jul 2024 03:32:20 +0200 Any progress on this? I just updated a server to apache-httpd-2.4.61 (from apache-httpd-2.4.59) and initial testing seems to indicate that this issue is now fixed? At least I was not able to trigger the bug on a host that has several VirtualHosts on the same IP/port combination with different certificates. It would be great to have this confirmed (or disproved if that is the case) so that the partial workarounds we have put into place to avoid this issue can be reverted back to a more standard configuration. OpenBSD 7.5 amd64 Tested with Brave Browser Version 1.67.123 Chromium: 126.0.6478.126 (Official Build) (arm64) Thanks! Mike > Am 31.03.2023 um 09:29 schrieb giovanni@paclan.it: > > On 3/30/23 16:35, giovanni@paclan.it wrote: >> On 2/7/23 12:25, giovanni@paclan.it wrote: >>> On 1/23/23 17:12, Bambero wrote: >>>> >>>> Hi, >>>> >>>> This is strange problem probably LibreSSL related. >>>> >>>> After upgrade OpenBSD to 7.2 windows clients using google chrome browser have problems to connect to apache server. >>>> Some requests are served correct, but periodically browser shows NET::CERT_COMMON_NAME_INVALID and in server logs we can see: >>>> >>>> AH02645: Server name not provided via TLS extension (using default/first virtual host), default >>>> >>>> There was no problem under 7.1. >>>> >>>> The problem occurs only when using google chrome browser (not chromium) under windows. >>>> >>>> I compiled under 7.2 version of apache from 7.1 and from current - didn't help. >>>> OpenBSD builtin server works correct. >>>> >>>> Problem also submitted here: >>>> https://bugs.chromium.org/p/chromium/issues/detail?id=1409224 >>>> >>> Google analysis pointed to the fact that they recently enabled "Permute TLS extensions" by default in Chrome, is this something we need to implement in LibreSSL ? >>> Regards >>> Giovanni >>> >> With latest Chrome version (111.0.5563) I cannot trigger this issue anymore, I think they have changed their TLS code. >> Giovanni > actually every now and then it still happens unfortunately. > Giovanni