tls: Add insecure_disable_sni_matching subdirective (#3075)

* Disable StrictHostMatching for single server configs * Add the insecure_disable_sni_matching directive * Do not override insecure_disable_sni_matching * Remove comment
2026-05-31 12:00:35 -04:00 · 2020-02-25 16:04:59 -07:00
parent c953d17bcc
commit 4fbdd23283
5 changed files with 16 additions and 18 deletions
--- a/caddyhttp/httpserver/plugin.go
+++ b/caddyhttp/httpserver/plugin.go
@@ -251,7 +251,6 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
 	// 2) if QUIC is enabled, TLS ClientAuth is not, because
 	//    currently, QUIC does not support ClientAuth (TODO:
 	//    revisit this when our QUIC implementation supports it)
-	// 3) if TLS ClientAuth is used, StrictHostMatching is on
 	var atLeastOneSiteLooksLikeProduction bool
 	for _, cfg := range h.siteConfigs {
 		// see if all the addresses (both sites and
@@ -292,12 +291,6 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
 			if QUIC {
 				return nil, fmt.Errorf("cannot enable TLS client authentication with QUIC, because QUIC does not yet support it")
 			}
-			// this must be enabled so that a client cannot connect
-			// using SNI for another site on this listener that
-			// does NOT require ClientAuth, and then send HTTP
-			// requests with the Host header of this site which DOES
-			// require client auth, thus bypassing it...
-			cfg.StrictHostMatching = true
 		}
 	}