Skip to content

HttpSM.cc: fix SNI/Host check to compare full length, not just prefix#13359

Open
omkhar wants to merge 1 commit into
apache:masterfrom
omkhar:sni-host-length-equality-check
Open

HttpSM.cc: fix SNI/Host check to compare full length, not just prefix#13359
omkhar wants to merge 1 commit into
apache:masterfrom
omkhar:sni-host-length-equality-check

Conversation

@omkhar

@omkhar omkhar commented Jul 2, 2026

Copy link
Copy Markdown

What

HttpSM::check_sni_host() compares the request Host against the TLS SNI with
strncasecmp(host_name.data(), sni_value, host_len), which only compares the
first host_len bytes. When the SNI is strictly longer than the Host and the
Host is a prefix of it (e.g. Host: secure.example.com with
SNI = secure.example.com.evil), the comparison returns 0 ("match") and the
host_sni_policy SNI/Host-mismatch handling (warn / 403) is skipped.

This adds a length-equality guard so a differing-length SNI is correctly treated
as a name mismatch.

Why

Without the length check, host_sni_policy (SNI/Host pinning) enforcement can be
side-stepped for any prefix relationship between Host and SNI. The check only
runs when host_sni_policy is configured (it is a no-op otherwise), so default
deployments are unaffected.

Verification

Exercised check_sni_host with host_sni_policy enforced:

  • Host = secure.example.com, SNI = secure.example.com.evil (prefix): before
    the fix the mismatch was not enforced (request allowed); after the fix it is
    correctly rejected (403).
  • Control SNI = xsecure.example.com (non-prefix mismatch): rejected before and after.
  • Exact match SNI = secure.example.com: allowed before and after (no regression).

Minimal one-line guard; happy to add an autest gold test if preferred.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants