Merge docs changes from r1929308

notroj · notroj · commit a77c8ae02d1e · 2025-10-28T14:36:15.000Z
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
@@ -1816,6 +1816,91 @@ SSLStrictSNIVHostCheck on
 </usage>
 </directivesynopsis>
 
+<directivesynopsis>
+<name>SSLVHostSNIPolicy</name>
+<description>Set compatibility policy for SNI client access to virtual hosts.</description>
+<syntax>SSLVHostSNIPolicy strict|secure|authonly|insecure</syntax>
+<default>SSLVHostSNIPolicy secure</default>
+<contextlist><context>server config</context></contextlist>
+<compatibility>Available in httpd 2.5 and later</compatibility>
+
+<usage><p>This directive sets policy applied when checking whether the
+<directive module="core" type="section">VirtualHost</directive>
+identified by the <code>Host</code> request header in an HTTP request
+is compatible with the <directive module="core"
+type="section">VirtualHost</directive> identified from the SNI
+extension sent during the initial TLS connection handshake. If an HTTP
+request is associated with a virtual host which has an incompatible
+SSL/TLS configuration under the policy used, an HTTP error response
+with status code 421 ("Misdirected Request") will be sent.</p>
+
+<p>The <code>strict</code> policy blocks all HTTP requests which are
+identified with a different virtual host to that identifed by SNI.
+The <code>insecure</code> policy allows all HTTP requests regardless
+of virtual host identified; such a configuration may be vulnerable to
+<a
+href="https://httpd.apache.org/security/vulnerabilities_24.html">CVE-2025-23048</a>.
+</p>
+
+<p>The (default) <code>secure</code>, and <code>authonly</code>
+policies compare specific aspects of the SSL configuration for the two
+virtual hosts, which are grouped into two categories:
+
+<ul>
+  <li><strong>client vertification and authentication
+  settings</strong>: directives which affect TLS client certificate
+  verification or authentication, such as <directive
+  module="mod_ssl">SSLVerifyClient</directive>, <directive
+  module="mod_ssl">SSLVerifyMode</directive>, <directive
+  module="mod_ssl">SSLCACertificatePath</directive>, <directive
+  module="mod_ssl">SSLSRPVerifierFile</directive>; any use of <directive
+  module="mod_ssl">SSLOpenSSLConfCmd</directive></li>
+
+  <li><strong>server certificate/key, or protocol/cipher
+  restrictions</strong>: directives which determine the server
+  certificate or key (<directive
+  module="mod_ssl">SSLCertificateKeyFile</directive> etc), cipher or
+  protocol restrictions (<directive
+  module="mod_ssl">SSLCipherSuite</directive> and <directive
+  module="mod_ssl">SSLProtocol</directive>)</li>
+</ul>
+
+This table illustrates whether an HTTP request will be blocked or
+allowed when the virtual host configurations differ as described,
+under each different policy setting:
+
+<table border="1" style="zebra">
+<columnspec><column width=".3"/><column width=".2"/><column width=".5"/>
+</columnspec>
+<tr>
+  <th>Policy mode</th>
+  <th>Any VirtualHost mismatch</th>
+  <th>Client verification/<br />authentication settings</th>
+  <th>Server certificate/key, <br />or protocol/cipher restrictions</th>
+</tr>
+<tr>
+  <td><code>strict</code><td>blocked</td><td>blocked</td><td>blocked</td></td>
+</tr>
+<tr>
+  <td><code>secure</code><td>allowed</td><td>blocked</td><td>blocked</td></td>
+</tr>
+<tr>
+  <td><code>authonly</code><td>allowed</td><td>blocked</td><td>allowed</td></td>
+</tr>
+<tr>
+  <td><code>insecure</code><td>allowed</td><td>allowed</td><td>allowed</td></td>
+</tr>
+</table>
+</p>
+<example><title>Example</title>
+<highlight language="config">
+SSLVHostSNIPolicy authonly
+</highlight>
+
+</example>
+</usage>
+</directivesynopsis>
+
 <directivesynopsis>
 <name>SSLProxyMachineCertificatePath</name>
 <description>Directory of PEM-encoded client certificates and keys to be used by the proxy</description>
