)]}'
{
  "commit": "b720f650bb72118481884657fb6a9bcb1b0f3b11",
  "tree": "aa5502f15121433fb6e6807ea125ba6afa498e27",
  "parents": [
    "6000f4ad6d1e5ea69b3e0925217d08401a3d1774"
  ],
  "author": {
    "name": "Valentin Bartenev",
    "email": "vbart@nginx.com",
    "time": "Wed Feb 27 17:41:34 2013 +0000"
  },
  "committer": {
    "name": "Valentin Bartenev",
    "email": "vbart@nginx.com",
    "time": "Wed Feb 27 17:41:34 2013 +0000"
  },
  "message": "SNI: added restriction on requesting host other than negotiated.\n\nAccording to RFC 6066, client is not supposed to request a different server\nname at the application layer.  Server implementations that rely upon these\nnames being equal must validate that a client did not send a different name\nin HTTP request.  Current versions of Apache HTTP server always return 400\n\"Bad Request\" in such cases.\n\nThere exist implementations however (e.g., SPDY) that rely on being able to\nrequest different host names in one connection.  Given this, we only reject\nrequests with differing host names if verification of client certificates\nis enabled in a corresponding server configuration.\n\nAn example of configuration that might not work as expected:\n\n  server {\n      listen 433 ssl default;\n      return 404;\n  }\n\n  server {\n      listen 433 ssl;\n      server_name example.org;\n\n      ssl_client_certificate org.cert;\n      ssl_verify_client on;\n  }\n\n  server {\n      listen 433 ssl;\n      server_name example.com;\n\n      ssl_client_certificate com.cert;\n      ssl_verify_client on;\n  }\n\nPreviously, a client was able to request example.com by presenting\na certificate for example.org, and vice versa.\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "bb4cacabd158f234dcf499f798a79570d1e483cb",
      "old_mode": 33188,
      "old_path": "src/http/ngx_http_request.c",
      "new_id": "0cb081c7448f9fbc9948d1ce2aa3cbcb40a76f69",
      "new_mode": 33188,
      "new_path": "src/http/ngx_http_request.c"
    }
  ]
}