@@ -371,19 +371,6 @@ int ssl_hook_ReadReq(request_rec *r)
371371 " provided in HTTP request" , servername );
372372 return HTTP_BAD_REQUEST ;
373373 }
374- if (r -> server != handshakeserver
375- && !ssl_server_compatible (sslconn -> server , r -> server )) {
376- /*
377- * The request does not select the virtual host that was
378- * selected by the SNI and its SSL parameters are different
379- */
380-
381- ap_log_rerror (APLOG_MARK , APLOG_ERR , 0 , r , APLOGNO (02032 )
382- "Hostname %s provided via SNI and hostname %s provided"
383- " via HTTP have no compatible SSL setup" ,
384- servername , r -> hostname );
385- return HTTP_MISDIRECTED_REQUEST ;
386- }
387374 }
388375 else if (((sc -> strict_sni_vhost_check == SSL_ENABLED_TRUE )
389376 || hssc -> strict_sni_vhost_check == SSL_ENABLED_TRUE )
@@ -404,6 +391,21 @@ int ssl_hook_ReadReq(request_rec *r)
404391 "which is required to access this server.<br />\n" );
405392 return HTTP_FORBIDDEN ;
406393 }
394+ if (r -> server != handshakeserver
395+ && !ssl_server_compatible (sslconn -> server , r -> server )) {
396+ /*
397+ * The request does not select the virtual host that was
398+ * selected for handshaking and its SSL parameters are different
399+ */
400+
401+ ap_log_rerror (APLOG_MARK , APLOG_ERR , 0 , r , APLOGNO (02032 )
402+ "Hostname %s %s and hostname %s provided"
403+ " via HTTP have no compatible SSL setup" ,
404+ servername ? servername : handshakeserver -> server_hostname ,
405+ servername ? "provided via SNI" : "(default host as no SNI was provided)" ,
406+ r -> hostname );
407+ return HTTP_MISDIRECTED_REQUEST ;
408+ }
407409 }
408410#endif
409411 modssl_set_app_data2 (ssl , r );
0 commit comments