diff --git a/httpd-2.4.37-sw.patch b/1002-httpd-2.4.37-sw.patch
similarity index 100%
rename from httpd-2.4.37-sw.patch
rename to 1002-httpd-2.4.37-sw.patch
diff --git a/httpd-2.4.37-sslvhostsnipolicy.patch b/httpd-2.4.37-sslvhostsnipolicy.patch
new file mode 100644
index 0000000000000000000000000000000000000000..0cc655165f8fdb86ab69fd2cf44385d3b838b959
--- /dev/null
+++ b/httpd-2.4.37-sslvhostsnipolicy.patch
@@ -0,0 +1,553 @@
+From e3d1aeceb8c3a8b2f90b85b105aec678b9d062bd Mon Sep 17 00:00:00 2001
+From: Joe Orton <jorton@apache.org>
+Date: Tue, 11 Nov 2025 15:50:19 +0100
+Subject: [PATCH] mod_ssl: Add SSLVHostSNIPolicy directive to set the 
+ compatibility level required for VirtualHost matching.
+
+For "secure" and "authonly" modes, a hash of the policy-relevant vhost
+configuration is created and stored in the post_config hooks, reducing
+the runtime code complexity (and overhead).
+
+* modules/ssl/ssl_engine_kernel.c (ssl_check_vhost_sni_policy): New
+  function, replacing ssl_server_compatible et al.
+
+* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLVHostSNIPolicy): New
+  function.
+
+* modules/ssl/ssl_engine_init.c (md5_strarray_cmp, md5_strarray_hash,
+  hash_sni_policy_pk, hash_sni_policy_auth, create_sni_policy_hash):
+  New functions.
+  (ssl_init_Module): Invoke create_sni_policy_hash to store the hash
+  for every SSLSrvConfigRec.
+
+* modules/ssl/ssl_private.h (SSLModConfigRec): Add snivh_policy field.
+  (SSLSrvConfigRec): Add sni_policy_hash field.
+
+PR: 69743
+GitHub: closes #561
+---
+ docs/manual/mod/mod_ssl.html.en |  77 ++++++++++++++++++
+ modules/ssl/mod_ssl.c           |   2 +
+ modules/ssl/ssl_engine_config.c |  41 ++++++++++
+ modules/ssl/ssl_engine_init.c   | 107 +++++++++++++++++++++++++
+ modules/ssl/ssl_engine_kernel.c | 133 ++++++--------------------------
+ modules/ssl/ssl_private.h       |  16 ++++
+ 6 files changed, 266 insertions(+), 110 deletions(-)
+
+diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
+index ab72d4f..97e2e3c 100644
+--- a/docs/manual/mod/mod_ssl.html.en
++++ b/docs/manual/mod/mod_ssl.html.en
+@@ -125,6 +125,7 @@ to provide the cryptography engine.</p>
+ <li><img alt="" src="../images/down.gif" /> <a href="#sslusestapling">SSLUseStapling</a></li>
+ <li><img alt="" src="../images/down.gif" /> <a href="#sslverifyclient">SSLVerifyClient</a></li>
+ <li><img alt="" src="../images/down.gif" /> <a href="#sslverifydepth">SSLVerifyDepth</a></li>
++<li><img alt="" src="../images/down.gif" /> <a href="#sslvhostsnipolicy">SSLVHostSNIPolicy</a></li>
+ </ul>
+ <h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_ssl">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_ssl">Report a bug</a></li></ul><h3>See also</h3>
+ <ul class="seealso">
+@@ -2778,6 +2779,82 @@ known to the server (i.e. the CA's certificate is under
+ <div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVerifyDepth 10</pre>
+ </div>
+ 
++</div>
++<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
++<div class="directive-section"><h2><a name="SSLVHostSNIPolicy" id="SSLVHostSNIPolicy">SSLVHostSNIPolicy</a> <a name="sslvhostsnipolicy" id="sslvhostsnipolicy">Directive</a> <a title="Permanent link" href="#sslvhostsnipolicy" class="permalink">&para;</a></h2>
++<table class="directive">
++<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set compatibility policy for SNI client access to virtual hosts.</td></tr>
++<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLVHostSNIPolicy strict|secure|authonly|insecure</code></td></tr>
++<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLVHostSNIPolicy secure</code></td></tr>
++<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
++<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
++<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
++<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTP Server 2.4.37 in Red Hat Enterprise Linux 8</td></tr>
++</table><p>This directive sets the policy applied when checking whether the
++<code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code>
++identified by the <code>Host</code> request header in an HTTP request
++is compatible with the <code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code> identified from the SNI
++extension sent during the initial TLS connection handshake. If an HTTP
++request is associated with a virtual host which has an incompatible
++SSL/TLS configuration under the policy used, an HTTP error response
++with status code 421 ("Misdirected Request") will be sent.</p>
++
++<p>The policy also applies to TLS connections where an SNI extension
++is not sent during the handshake, implicitly using the default or
++first virtual host definition. If the Host header in an HTTP request
++on such a connection identifies any other non-default virtual host,
++the compatibility policy is tested.</p>
++
++<p>The <code>strict</code> policy blocks all HTTP requests which are
++identified with a different virtual host to that identifed by SNI.
++The <code>insecure</code> policy allows all HTTP requests regardless
++of virtual host identified; such a configuration may be vulnerable to
++<a href="https://httpd.apache.org/security/vulnerabilities_24.html">CVE-2025-23048</a>.
++</p>
++
++<p>The (default) <code>secure</code>, and <code>authonly</code>
++policies compare specific aspects of the SSL configuration for the two
++virtual hosts, which are grouped into two categories:
++
++<ul>
++  <li><strong>server certificate/key, or protocol/cipher
++  restrictions</strong>: directives which determine the server
++  certificate or key (<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> etc), cipher or
++  protocol restrictions (<code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code> and <code class="directive"><a href="#sslprotocol">SSLProtocol</a></code>)</li>
++
++  <li><strong>client vertification and authentication
++  settings</strong>: directives which affect TLS client certificate
++  verification or authentication, such as <code class="directive"><a href="#sslverifyclient">SSLVerifyClient</a></code>, <code class="directive"><a href="#sslverifymode">SSLVerifyMode</a></code>, <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>, <code class="directive"><a href="#sslsrpverifierfile">SSLSRPVerifierFile</a></code>; any use of <code class="directive"><a href="#sslopensslconfcmd">SSLOpenSSLConfCmd</a></code></li>
++</ul>
++
++This table illustrates whether an HTTP request will be blocked or
++allowed when the virtual host configurations differ as described,
++under each different policy setting:
++
++<table class="bordered"><tr class="header">
++  <th>Policy mode</th>
++  <th>Any VirtualHost mismatch</th>
++  <th>Server certificate/key, <br />or protocol/cipher restrictions</th>
++  <th>Client verification/<br />authentication settings</th>
++</tr>
++<tr>
++  <td><code>strict</code><td>blocked</td><td>blocked</td><td>blocked</td></td>
++</tr>
++<tr class="odd">
++  <td><code>secure</code><td>allowed</td><td>blocked</td><td>blocked</td></td>
++</tr>
++<tr>
++  <td><code>authonly</code><td>allowed</td><td>blocked</td><td>allowed</td></td>
++</tr>
++<tr class="odd">
++  <td><code>insecure</code><td>allowed</td><td>allowed</td><td>allowed</td></td>
++</tr>
++</table>
++</p>
++<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVHostSNIPolicy authonly</pre>
++</div>
++
++
+ </div>
+ </div>
+ <div class="bottomlang">
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index b5f8bdf..7820ef6 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -83,6 +83,8 @@ static const command_rec ssl_config_cmds[] = {
+     SSL_CMD_SRV(RandomSeed, TAKE23,
+                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
+                 "('startup|connect builtin|file:/path|exec:/path [bytes]')")
++    SSL_CMD_SRV(VHostSNIPolicy, TAKE1,
++                "SSL VirtualHost SNI compatibility policy setting")
+ 
+     /*
+      * Per-server context configuration directives
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 7b3e212..f7f0249 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -78,6 +78,9 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
+ #ifdef HAVE_OPENSSL_KEYLOG
+     mc->keylog_file = NULL;
+ #endif
++#ifdef HAVE_TLSEXT
++    mc->snivh_policy           = MODSSL_SNIVH_SECURE;
++#endif
+ 
+     apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
+                           apr_pool_cleanup_null,
+@@ -1903,6 +1906,44 @@ const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag
+ #endif
+ }
+ 
++const char *ssl_cmd_SSLVHostSNIPolicy(cmd_parms *cmd, void *dcfg, const char *arg)
++{
++#ifdef HAVE_TLSEXT
++    SSLModConfigRec *mc = myModConfig(cmd->server);
++    const char *err;
++
++    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
++        return err;
++    }
++    if (!mc) {
++        return "SSLVHostSNIPolicy cannot be used inside SSLPolicyDefine";
++    }
++
++    if (strcEQ(arg, "secure")) {
++        mc->snivh_policy = MODSSL_SNIVH_SECURE;
++    }
++    else if (strcEQ(arg, "strict")) {
++        mc->snivh_policy = MODSSL_SNIVH_STRICT;
++    }
++    else if (strcEQ(arg, "insecure")) {
++        mc->snivh_policy = MODSSL_SNIVH_INSECURE;
++    }
++    else if (strcEQ(arg, "authonly")) {
++        mc->snivh_policy = MODSSL_SNIVH_AUTHONLY;
++    }
++    else {
++        return apr_psprintf(cmd->pool, "Invalid SSLVhostSNIPolicy "
++                            "argument '%s'", arg);
++    }
++
++    return NULL;
++#else
++    return "SSLVHostSNIPolicy cannot be used, OpenSSL is not built with "
++        "support for TLS extensions and SNI indication. Refer to the "
++        "documentation, and build a compatible version of OpenSSL."
++#endif
++}
++
+ #ifdef HAVE_OCSP_STAPLING
+ 
+ const char *ssl_cmd_SSLStaplingCache(cmd_parms *cmd,
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index ce8cb3a..29a3f7c 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -31,6 +31,7 @@
+ #include "mod_ssl_openssl.h"
+ #include "mpm_common.h"
+ #include "mod_md.h"
++#include "util_md5.h"
+ 
+ APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_server,
+                                     (server_rec *s,apr_pool_t *p,int is_proxy,SSL_CTX *ctx),
+@@ -184,6 +185,110 @@ static void ssl_add_version_components(apr_pool_t *p,
+                  modver, AP_SERVER_BASEVERSION, incver);
+ }
+ 
++#ifdef HAVE_TLSEXT
++/* Helper functions to create the SNI vhost policy hash. The policy
++ * hash captures the configuration elements relevant to the mode
++ * selected at runtime by SSLVHostSNIPolicy. */
++
++#define md5_str_update(ctx_, pfx_, str_) do { apr_md5_update(ctx_, pfx_, strlen(pfx_)); apr_md5_update(ctx_, str_, strlen(str_)); } while (0)
++#define md5_ifstr_update(ctx_, pfx_, str_) do { apr_md5_update(ctx_, pfx_, strlen(pfx_)); if (str_) apr_md5_update(ctx_, str_, strlen(str_)); } while (0)
++#define md5_fmt_update(ctx_, fmt_, i_) do { char s_[128]; apr_snprintf(s_, sizeof s_, fmt_, i_); \
++        apr_md5_update(ctx_, s_, strlen(s_)); } while (0)
++
++static int md5_strarray_cmp(const void *p1, const void *p2)
++{
++    return strcmp(*(char **)p1, *(char **)p2);
++}
++
++/* Hashes an array of strings in sorted order. */
++static void md5_strarray_hash(apr_pool_t *ptemp, apr_md5_ctx_t *hash,
++                              const char *pfx, apr_array_header_t *s)
++{
++    char **elts = apr_pmemdup(ptemp, s->elts, s->nelts * sizeof *elts);
++    int i;
++
++    qsort(elts, s->nelts, sizeof(char *), md5_strarray_cmp);
++
++    apr_md5_update(hash, pfx, strlen(pfx));
++    for (i = 0; i < s->nelts; i++) {
++        md5_str_update(hash, "elm:", elts[i]);
++    }
++}
++
++static void hash_sni_policy_pk(apr_pool_t *ptemp, apr_md5_ctx_t *hash, modssl_ctx_t *ctx)
++{
++    md5_fmt_update(hash, "protocol:%d", ctx->protocol);
++
++    md5_ifstr_update(hash, "ciphers:", ctx->auth.cipher_suite);
++    md5_ifstr_update(hash, "tls13_ciphers:", ctx->auth.tls13_ciphers);
++
++    md5_strarray_hash(ptemp, hash, "cert_files:", ctx->pks->cert_files);
++    md5_strarray_hash(ptemp, hash, "key_files:", ctx->pks->key_files);
++}
++
++static void hash_sni_policy_auth(apr_md5_ctx_t *hash, modssl_ctx_t *ctx)
++{
++    modssl_pk_server_t *pks = ctx->pks;
++    modssl_auth_ctx_t *a = &ctx->auth;
++
++    md5_fmt_update(hash, "verify_depth:%d", a->verify_depth);
++    md5_fmt_update(hash, "verify_mode:%d", a->verify_mode);
++
++    md5_ifstr_update(hash, "ca_name_path:", pks->ca_name_path);
++    md5_ifstr_update(hash, "ca_name_file:", pks->ca_name_file);
++    md5_ifstr_update(hash, "ca_cert_path:", a->ca_cert_path);
++    md5_ifstr_update(hash, "ca_cert_file:", a->ca_cert_file);
++    md5_ifstr_update(hash, "crl_path:", ctx->crl_path);
++    md5_ifstr_update(hash, "crl_file:", ctx->crl_file);
++    md5_fmt_update(hash, "crl_check_mask:%d", ctx->crl_check_mask);
++    md5_fmt_update(hash, "ocsp_mask:%d", ctx->ocsp_mask);
++    md5_fmt_update(hash, "ocsp_force_default:%d", ctx->ocsp_force_default);
++    md5_ifstr_update(hash, "ocsp_responder:", ctx->ocsp_responder);
++
++#ifdef HAVE_SRP
++    md5_ifstr_update(hash, "srp_vfile:", ctx->srp_vfile);
++#endif
++
++#ifdef HAVE_SSL_CONF_CMD
++    {
++        apr_array_header_t *parms = ctx->ssl_ctx_param;
++        int n;
++
++        for (n = 0; n < parms->nelts; n++) {
++            ssl_ctx_param_t *p = &APR_ARRAY_IDX(parms, n, ssl_ctx_param_t);
++
++            md5_str_update(hash, "param:", p->name);
++            md5_str_update(hash, "value:", p->value);
++        }
++    }
++#endif
++}
++#endif
++
++static char *create_sni_policy_hash(apr_pool_t *p, apr_pool_t *ptemp,
++                                    modssl_snivhpolicy_t policy,
++                                    SSLSrvConfigRec *sc)
++{
++    char *rv = NULL;
++#ifdef HAVE_TLSEXT
++    if (policy != MODSSL_SNIVH_STRICT && policy != MODSSL_SNIVH_INSECURE) {
++        apr_md5_ctx_t hash;
++        unsigned char digest[APR_MD5_DIGESTSIZE];
++
++        /* Create the vhost policy hash for comparison later. */
++        apr_md5_init(&hash);
++        hash_sni_policy_auth(&hash, sc->server);
++        if (policy == MODSSL_SNIVH_SECURE)
++            hash_sni_policy_pk(ptemp, &hash, sc->server);
++        apr_md5_final(digest, &hash);
++
++        rv = apr_palloc(p, 2 * APR_MD5_DIGESTSIZE + 1);
++        ap_bin2hex(digest, APR_MD5_DIGESTSIZE, rv); /* sets final '\0' */
++    }
++#endif
++    return rv;
++}
++
+ /*  _________________________________________________________________
+ **
+ **  Let other answer special connection attempts. 
+@@ -422,6 +527,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+                 return rv;
+             }
+         }
++
++        sc->sni_policy_hash = create_sni_policy_hash(p, ptemp, mc->snivh_policy, sc);
+     }
+ 
+     /*
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index c13e86c..f27552f 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -101,112 +101,28 @@ static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)
+ }
+ 
+ #ifdef HAVE_TLSEXT
+-static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
++/* Check whether a transition from vhost sc1 to sc2 from SNI to Host:
++ * vhost selection is permitted according to the SSLVHostSNIPolicy
++ * setting.  Returns 1 if the policy treats the vhosts as compatible,
++ * else 0. */
++static int ssl_check_vhost_sni_policy(SSLSrvConfigRec *sc1,
++                                      SSLSrvConfigRec *sc2)
+ {
+-    int i;
+-    const char *c;
+-    
+-    if (s1 == s2) {
++    modssl_snivhpolicy_t policy = sc1->mc->snivh_policy;
++
++    /* Policy: insecure => allow everything. */
++    if (policy == MODSSL_SNIVH_INSECURE)
+         return 1;
+-    }
+-    else if (!s1 || !s2 || (s1->nelts != s2->nelts)) {
+-        return 0;
+-    }
+     
+-    for (i = 0; i < s1->nelts; i++) {
+-        c = APR_ARRAY_IDX(s1, i, const char *);
+-        if (!c || !ap_array_str_contains(s2, c)) {
+-            return 0;
+-        }
+-    }
+-    return 1;
+-}
++    /* Policy: strict => fail for any vhost transition. */
++    if (policy == MODSSL_SNIVH_STRICT)
++        return sc1 == sc2;
+ 
+-static int ssl_pk_server_compatible(modssl_pk_server_t *pks1, 
+-                                    modssl_pk_server_t *pks2) 
+-{
+-    if (!pks1 || !pks2) {
+-        return 0;
+-    }
+-    /* both have the same certificates? */
+-    if ((pks1->ca_name_path != pks2->ca_name_path)
+-        && (!pks1->ca_name_path || !pks2->ca_name_path 
+-            || strcmp(pks1->ca_name_path, pks2->ca_name_path))) {
+-        return 0;
+-    }
+-    if ((pks1->ca_name_file != pks2->ca_name_file)
+-        && (!pks1->ca_name_file || !pks2->ca_name_file 
+-            || strcmp(pks1->ca_name_file, pks2->ca_name_file))) {
+-        return 0;
+-    }
+-    if (!ap_array_same_str_set(pks1->cert_files, pks2->cert_files)
+-        || !ap_array_same_str_set(pks1->key_files, pks2->key_files)) {
+-        return 0;
+-    }
+-    return 1;
+-}
++    /* For authonly/secure policy, compare the hash. */
++    AP_DEBUG_ASSERT(sc1->sni_policy_hash);
++    AP_DEBUG_ASSERT(sc2->sni_policy_hash);
+ 
+-static int ssl_auth_compatible(modssl_auth_ctx_t *a1, 
+-                               modssl_auth_ctx_t *a2) 
+-{
+-    if (!a1 || !a2) {
+-        return 0;
+-    }
+-    /* both have the same verification */
+-    if ((a1->verify_depth != a2->verify_depth)
+-        || (a1->verify_mode != a2->verify_mode)) {
+-        return 0;
+-    }
+-    /* both have the same ca path/file */
+-    if ((a1->ca_cert_path != a2->ca_cert_path)
+-        && (!a1->ca_cert_path || !a2->ca_cert_path 
+-            || strcmp(a1->ca_cert_path, a2->ca_cert_path))) {
+-        return 0;
+-    }
+-    if ((a1->ca_cert_file != a2->ca_cert_file)
+-        && (!a1->ca_cert_file || !a2->ca_cert_file 
+-            || strcmp(a1->ca_cert_file, a2->ca_cert_file))) {
+-        return 0;
+-    }
+-    /* both have the same ca cipher suite string */
+-    if ((a1->cipher_suite != a2->cipher_suite)
+-        && (!a1->cipher_suite || !a2->cipher_suite 
+-            || strcmp(a1->cipher_suite, a2->cipher_suite))) {
+-        return 0;
+-    }
+-    /* both have the same ca cipher suite string */
+-    if ((a1->tls13_ciphers != a2->tls13_ciphers)
+-        && (!a1->tls13_ciphers || !a2->tls13_ciphers 
+-            || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) {
+-        return 0;
+-    }
+-    return 1;
+-}
+-
+-static int ssl_ctx_compatible(modssl_ctx_t *ctx1, 
+-                              modssl_ctx_t *ctx2) 
+-{
+-    if (!ctx1 || !ctx2 
+-        || (ctx1->protocol != ctx2->protocol)
+-        || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth)
+-        || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) {
+-        return 0;
+-    }
+-    return 1;
+-}
+-
+-static int ssl_server_compatible(server_rec *s1, server_rec *s2)
+-{
+-    SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL;
+-    SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL;
+-
+-    /* both use the same TLS protocol? */
+-    if (!sc1 || !sc2 
+-        || !ssl_ctx_compatible(sc1->server, sc2->server)) {
+-        return 0;
+-    }
+-    
+-    return 1;
++    return strcmp(sc1->sni_policy_hash, sc2->sni_policy_hash) == 0;
+ }
+ #endif
+ 
+@@ -275,6 +191,8 @@ int ssl_hook_ReadReq(request_rec *r)
+         server_rec *handshakeserver = sslconn->server;
+         SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
+ 
++        AP_DEBUG_ASSERT(hssc);
++
+         if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+             /*
+              * The SNI extension supplied a hostname. So don't accept requests
+@@ -315,19 +233,14 @@ int ssl_hook_ReadReq(request_rec *r)
+                            "which is required to access this server.<br />\n");
+             return HTTP_FORBIDDEN;
+         }
+-        if (r->server != handshakeserver
+-            && !ssl_server_compatible(sslconn->server, r->server)) {
+-            /*
+-             * The request does not select the virtual host that was
+-             * selected for handshaking and its SSL parameters are different
+-             */
+-
++        /* Enforce SSL SNI vhost compatibility policy. */
++        if (!ssl_check_vhost_sni_policy(sc, hssc)) {
+             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032)
+                          "Hostname %s %s and hostname %s provided"
+-                         " via HTTP have no compatible SSL setup",
++                         " via HTTP have no compatible SSL setup for policy '%s'",
+                          servername ? servername : handshakeserver->server_hostname,
+                          servername ? "provided via SNI" : "(default host as no SNI was provided)",
+-                         r->hostname);
++                          r->hostname, MODSSL_SNIVH_NAME(sc->mc->snivh_policy));
+             return HTTP_MISDIRECTED_REQUEST;
+         }
+     }
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index 2f8d4d3..eafd97b 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -498,6 +498,19 @@ typedef struct {
+     int          nBytes;
+ } ssl_randseed_t;
+ 
++/* SNI vhost compatibility policy. */
++typedef enum {
++    MODSSL_SNIVH_STRICT   = 0,
++    MODSSL_SNIVH_SECURE   = 1,
++    MODSSL_SNIVH_AUTHONLY = 2,
++    MODSSL_SNIVH_INSECURE = 3
++} modssl_snivhpolicy_t;
++
++/* Maps modssl_snivhpolicy_t back into a config option string. */
++#define MODSSL_SNIVH_NAME(p_) ((p_) == MODSSL_SNIVH_STRICT ? "strict" : \
++                               ((p_) == MODSSL_SNIVH_SECURE ? "secure" : \
++                                ((p_) == MODSSL_SNIVH_AUTHONLY ? "authonly" : "insecure" )))
++
+ /**
+  * Define the structure of an ASN.1 anything
+  */
+@@ -632,6 +645,7 @@ typedef struct {
+     apr_file_t      *keylog_file;
+ #endif
+ 
++    modssl_snivhpolicy_t snivh_policy;
+ } SSLModConfigRec;
+ 
+ /** Structure representing configured filenames for certs and keys for
+@@ -782,6 +796,7 @@ struct SSLSrvConfigRec {
+     modssl_ctx_t    *server;
+ #ifdef HAVE_TLSEXT
+     ssl_enabled_t    strict_sni_vhost_check;
++    const char      *sni_policy_hash;
+ #endif
+ #ifdef HAVE_FIPS
+     BOOL             fips;
+@@ -860,6 +875,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
+ const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
++const char  *ssl_cmd_SSLVHostSNIPolicy(cmd_parms *cmd, void *dcfg, const char *arg);
+ const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
+ 
+ const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
+-- 
+2.44.0
+
diff --git a/httpd.spec b/httpd.spec
index d71a5fbe4236a6fbf081beaf39dc2743e47a3b9d..31af97032a2e6a1bd4310b10a514b9c6369c0914 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -5,294 +5,300 @@
 %define mmn 20120211
 %define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
 %define vstring %(source /etc/os-release; echo ${NAME})
+%define vprefix %(source /etc/os-release; echo ${ID})
 %if 0%{?fedora} > 26 || 0%{?rhel} > 7 || 0%{?anolis}
 %global mpm event
 %else
 %global mpm prefork
 %endif
 
-Summary: Apache HTTP Server
-Name: httpd
-Version: 2.4.37
-Release: 655%{anolis_release}%{?dist}.5
-URL: https://httpd.apache.org/
-Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
-Source2: httpd.logrotate
-Source3: instance.conf
-Source4: httpd-ssl-pass-dialog
-Source5: httpd.tmpfiles
-Source6: httpd.service
-Source7: action-graceful.sh
-Source8: action-configtest.sh
-Source10: httpd.conf
-Source11: 00-base.conf
-Source12: 00-mpm.conf
-Source13: 00-lua.conf
-Source14: 01-cgi.conf
-Source15: 00-dav.conf
-Source16: 00-proxy.conf
-Source17: 00-ssl.conf
-Source18: 01-ldap.conf
-Source19: 00-proxyhtml.conf
-Source20: userdir.conf
-Source21: ssl.conf
-Source22: welcome.conf
-Source23: manual.conf
-Source24: 00-systemd.conf
-Source25: 01-session.conf
-Source26: 10-listen443.conf
-Source27: httpd.socket
-Source28: 00-optional.conf
+Summary:              Apache HTTP Server
+Name:                 httpd
+Version:              2.4.37
+Release:              655%{anolis_release}%{?dist}.6
+URL:                  https://httpd.apache.org/
+Source0:              https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
+Source2:              httpd.logrotate
+Source3:              instance.conf
+Source4:              httpd-ssl-pass-dialog
+Source5:              httpd.tmpfiles
+Source6:              httpd.service
+Source7:              action-graceful.sh
+Source8:              action-configtest.sh
+Source10:             httpd.conf
+Source11:             00-base.conf
+Source12:             00-mpm.conf
+Source13:             00-lua.conf
+Source14:             01-cgi.conf
+Source15:             00-dav.conf
+Source16:             00-proxy.conf
+Source17:             00-ssl.conf
+Source18:             01-ldap.conf
+Source19:             00-proxyhtml.conf
+Source20:             userdir.conf
+Source21:             ssl.conf
+Source22:             welcome.conf
+Source23:             manual.conf
+Source24:             00-systemd.conf
+Source25:             01-session.conf
+Source26:             10-listen443.conf
+Source27:             httpd.socket
+Source28:             00-optional.conf
+Source29:             snipolicy.conf
 # Documentation
-Source30: README.confd
-Source31: README.confmod
-Source32: httpd.service.xml
-Source33: htcacheclean.service.xml
-Source34: httpd.conf.xml
-Source40: htcacheclean.service
-Source41: htcacheclean.sysconf
-Source42: httpd-init.service
-Source43: httpd-ssl-gencerts
-Source44: httpd@.service
-Source45: config.layout
-Source46: apache-poweredby.png
+Source30:             README.confd
+Source31:             README.confmod
+Source32:             httpd.service.xml
+Source33:             htcacheclean.service.xml
+Source34:             httpd.conf.xml
+Source40:             htcacheclean.service
+Source41:             htcacheclean.sysconf
+Source42:             httpd-init.service
+Source43:             httpd-ssl-gencerts
+Source44:             httpd@.service
+Source45:             config.layout
+Source46:             apache-poweredby.png
 
 # build/scripts patches
 # http://bugzilla.redhat.com/show_bug.cgi?id=1231924
 # http://bugzilla.redhat.com/show_bug.cgi?id=842736
 # http://bugzilla.redhat.com/show_bug.cgi?id=1214401
-Patch1: httpd-2.4.35-apachectl.patch
-Patch2: httpd-2.4.28-apxs.patch
-Patch3: httpd-2.4.35-deplibs.patch
+Patch1:               httpd-2.4.35-apachectl.patch
+Patch2:               httpd-2.4.28-apxs.patch
+Patch3:               httpd-2.4.35-deplibs.patch
 
 # Needed for socket activation and mod_systemd patch
-Patch19: httpd-2.4.35-detect-systemd.patch
+Patch19:              httpd-2.4.35-detect-systemd.patch
 
 # Features/functional changes
-Patch20: httpd-2.4.32-export.patch
-Patch21: httpd-2.4.35-corelimit.patch
-Patch22: httpd-2.4.35-selinux.patch
+Patch20:              httpd-2.4.32-export.patch
+Patch21:              httpd-2.4.35-corelimit.patch
+Patch22:              httpd-2.4.35-selinux.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1170215
-Patch23: httpd-2.4.28-icons.patch
-Patch24: httpd-2.4.35-systemd.patch
-Patch25: httpd-2.4.35-cachehardmax.patch
-Patch26: httpd-2.4.28-socket-activation.patch
+Patch23:              httpd-2.4.28-icons.patch
+Patch24:              httpd-2.4.35-systemd.patch
+Patch25:              httpd-2.4.35-cachehardmax.patch
+Patch26:              httpd-2.4.28-socket-activation.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1109119
-Patch27: httpd-2.4.35-sslciphdefault.patch
+Patch27:              httpd-2.4.35-sslciphdefault.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1332242
-Patch28: httpd-2.4.28-statements-comment.patch
+Patch28:              httpd-2.4.28-statements-comment.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=811714
-Patch29: httpd-2.4.35-full-release.patch
-Patch30: httpd-2.4.35-freebind.patch
-Patch31: httpd-2.4.35-r1830819+.patch
+Patch29:              httpd-2.4.35-full-release.patch
+Patch30:              httpd-2.4.35-freebind.patch
+Patch31:              httpd-2.4.35-r1830819+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1638738
-Patch32: httpd-2.4.37-sslprotdefault.patch
+Patch32:              httpd-2.4.37-sslprotdefault.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1747898
-Patch33: httpd-2.4.37-mod-md-mod-ssl-hooks.patch
+Patch33:              httpd-2.4.37-mod-md-mod-ssl-hooks.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1725031
-Patch34: httpd-2.4.37-r1861793+.patch
+Patch34:              httpd-2.4.37-r1861793+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1704317
-Patch35: httpd-2.4.37-sslkeylogfile-support.patch
+Patch35:              httpd-2.4.37-sslkeylogfile-support.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1794728
-Patch36: httpd-2.4.37-session-expiry-updt-int.patch
+Patch36:              httpd-2.4.37-session-expiry-updt-int.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1209162
-Patch37: httpd-2.4.37-logjournal.patch
+Patch37:              httpd-2.4.37-logjournal.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1869576
-Patch38: httpd-2.4.37-pr37355.patch
+Patch38:              httpd-2.4.37-pr37355.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1896176
-Patch39: httpd-2.4.37-proxy-ws-idle-timeout.patch
+Patch39:              httpd-2.4.37-proxy-ws-idle-timeout.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1883648
-Patch40: httpd-2.4.37-ssl-proxy-chains.patch
+Patch40:              httpd-2.4.37-ssl-proxy-chains.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1935742
-Patch41: httpd-2.4.37-usertrack-samesite.patch
+Patch41:              httpd-2.4.37-usertrack-samesite.patch
 
 # Bug fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
-Patch61: httpd-2.4.35-r1738878.patch
+Patch61:              httpd-2.4.35-r1738878.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1170206
-Patch62: httpd-2.4.35-r1633085.patch
+Patch62:              httpd-2.4.35-r1633085.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1448892
-Patch63: httpd-2.4.28-r1811831.patch
+Patch63:              httpd-2.4.28-r1811831.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1602548
-Patch65: httpd-2.4.35-r1842888.patch
+Patch65:              httpd-2.4.35-r1842888.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1653009
 # https://bugzilla.redhat.com/show_bug.cgi?id=1672977
 # https://bugzilla.redhat.com/show_bug.cgi?id=1673022
-Patch66: httpd-2.4.37-r1842929+.patch
+Patch66:              httpd-2.4.37-r1842929+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1630432
-Patch67: httpd-2.4.35-r1825120.patch
+Patch67:              httpd-2.4.35-r1825120.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1670716
-Patch68: httpd-2.4.37-fips-segfault.patch
+Patch68:              httpd-2.4.37-fips-segfault.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1669221
-Patch70: httpd-2.4.37-r1840554.patch
+Patch70:              httpd-2.4.37-r1840554.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1673022
-Patch71: httpd-2.4.37-mod-md-perms.patch
+Patch71:              httpd-2.4.37-mod-md-perms.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1724549
-Patch72: httpd-2.4.37-mod-mime-magic-strdup.patch
+Patch72:              httpd-2.4.37-mod-mime-magic-strdup.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1724034
-Patch73: httpd-2.4.35-ocsp-wrong-ctx.patch
+Patch73:              httpd-2.4.35-ocsp-wrong-ctx.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1633224
-Patch74: httpd-2.4.37-r1828172+.patch
+Patch74:              httpd-2.4.37-r1828172+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1775158
-Patch75: httpd-2.4.37-r1870095+.patch
+Patch75:              httpd-2.4.37-r1870095+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1771847
-Patch76: httpd-2.4.37-proxy-continue.patch
-Patch77: httpd-2.4.37-balancer-failover.patch
+Patch76:              httpd-2.4.37-proxy-continue.patch
+Patch77:              httpd-2.4.37-balancer-failover.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1875844
-Patch78: httpd-2.4.37-r1881459.patch
+Patch78:              httpd-2.4.37-r1881459.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1891829
-Patch79: httpd-2.4.37-r1864000.patch
+Patch79:              httpd-2.4.37-r1864000.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1868608
-Patch80: httpd-2.4.37-r1872790.patch
+Patch80:              httpd-2.4.37-r1872790.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1861380
-Patch81: httpd-2.4.37-r1879224.patch
+Patch81:              httpd-2.4.37-r1879224.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1680118
-Patch82: httpd-2.4.37-r1877397.patch
+Patch82:              httpd-2.4.37-r1877397.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1847585
-Patch83: httpd-2.4.37-r1878890.patch
+Patch83:              httpd-2.4.37-r1878890.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1918741
-Patch84: httpd-2.4.37-r1878280.patch
+Patch84:              httpd-2.4.37-r1878280.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1891594
-Patch85: httpd-2.4.37-htcacheclean-dont-break.patch
+Patch85:              httpd-2.4.37-htcacheclean-dont-break.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1937334
-Patch86: httpd-2.4.37-r1873907.patch
+Patch86:              httpd-2.4.37-r1873907.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1680111
-Patch87: httpd-2.4.37-reply-two-tls-rec.patch
+Patch87:              httpd-2.4.37-reply-two-tls-rec.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1905613
-Patch88: httpd-2.4.37-r1845768+.patch
+Patch88:              httpd-2.4.37-r1845768+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2001046
-Patch89: httpd-2.4.37-r1862410.patch
+Patch89:              httpd-2.4.37-r1862410.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1984828
-Patch90: httpd-2.4.37-hcheck-mem-issues.patch
+Patch90:              httpd-2.4.37-hcheck-mem-issues.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2017543
-Patch91: httpd-2.4.37-add-SNI-support.patch
+Patch91:              httpd-2.4.37-add-SNI-support.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2159603
-Patch92: httpd-2.4.37-mod_status-duplicate-key.patch
+Patch92:              httpd-2.4.37-mod_status-duplicate-key.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2221083
-Patch93: httpd-2.4.37-r1885607.patch
+Patch93:              httpd-2.4.37-r1885607.patch
 # https://issues.redhat.com/browse/RHEL-14321
-Patch94: httpd-2.4.57-r1884505+.patch
+Patch94:              httpd-2.4.57-r1884505+.patch
 # https://bz.apache.org/bugzilla/show_bug.cgi?id=69197
-Patch95: httpd-2.4.37-r1919325.patch
+Patch95:              httpd-2.4.37-r1919325.patch
 # https://issues.redhat.com/browse/RHEL-56068
-Patch96: httpd-2.4.37-r1922080.patch
+Patch96:              httpd-2.4.37-r1922080.patch
 # https://issues.redhat.com/browse/RHEL-87641
-Patch97: httpd-2.4.37-r1855391.patch
+Patch97:              httpd-2.4.37-r1855391.patch
 
 # Security fixes
-Patch200: httpd-2.4.37-r1851471.patch
+Patch200:             httpd-2.4.37-r1851471.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1694980
-Patch201: httpd-2.4.37-CVE-2019-0211.patch
+Patch201:             httpd-2.4.37-CVE-2019-0211.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1695025
-Patch202: httpd-2.4.37-CVE-2019-0215.patch
+Patch202:             httpd-2.4.37-CVE-2019-0215.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1696141
-Patch203: httpd-2.4.37-CVE-2019-0217.patch
+Patch203:             httpd-2.4.37-CVE-2019-0217.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1696097
-Patch204: httpd-2.4.37-CVE-2019-0220.patch
+Patch204:             httpd-2.4.37-CVE-2019-0220.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1741860
 # https://bugzilla.redhat.com/show_bug.cgi?id=1741864
 # https://bugzilla.redhat.com/show_bug.cgi?id=1741868
-Patch205: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch
+Patch205:             httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1823259
 # https://bugzilla.redhat.com/show_bug.cgi?id=1747284
 # fixes both CVE-2020-1927 and CVE-2019-10098
-Patch206: httpd-2.4.37-CVE-2019-10098.patch
+Patch206:             httpd-2.4.37-CVE-2019-10098.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1747281
-Patch207: httpd-2.4.37-CVE-2019-10092.patch
+Patch207:             httpd-2.4.37-CVE-2019-10092.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1747291
-Patch208: httpd-2.4.37-CVE-2019-10097.patch
+Patch208:             httpd-2.4.37-CVE-2019-10097.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1820772
-Patch209: httpd-2.4.37-CVE-2020-1934.patch
+Patch209:             httpd-2.4.37-CVE-2020-1934.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1668493
-Patch210: httpd-2.4.37-CVE-2018-17199.patch
+Patch210:             httpd-2.4.37-CVE-2018-17199.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1866563
-Patch211: httpd-2.4.37-CVE-2020-11984.patch
+Patch211:             httpd-2.4.37-CVE-2020-11984.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1972500
-Patch212: httpd-2.4.37-CVE-2021-30641.patch
+Patch212:             httpd-2.4.37-CVE-2021-30641.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1968307
-Patch213: httpd-2.4.37-CVE-2021-26690.patch
+Patch213:             httpd-2.4.37-CVE-2021-26690.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2005117
-Patch214: httpd-2.4.37-CVE-2021-40438.patch
+Patch214:             httpd-2.4.37-CVE-2021-40438.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1966732
-Patch215: httpd-2.4.37-CVE-2021-26691.patch
+Patch215:             httpd-2.4.37-CVE-2021-26691.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1968278
-Patch216: httpd-2.4.37-CVE-2020-35452.patch
+Patch216:             httpd-2.4.37-CVE-2020-35452.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2005128
-Patch217: httpd-2.4.37-CVE-2021-34798.patch
+Patch217:             httpd-2.4.37-CVE-2021-34798.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2005119
-Patch218: httpd-2.4.37-CVE-2021-39275.patch
+Patch218:             httpd-2.4.37-CVE-2021-39275.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2005124
-Patch219: httpd-2.4.37-CVE-2021-36160.patch
+Patch219:             httpd-2.4.37-CVE-2021-36160.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1966728
-Patch220: httpd-2.4.37-CVE-2021-33193.patch
+Patch220:             httpd-2.4.37-CVE-2021-33193.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2034674
-Patch221: httpd-2.4.37-CVE-2021-44790.patch
+Patch221:             httpd-2.4.37-CVE-2021-44790.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2034672
-Patch222: httpd-2.4.37-CVE-2021-44224.patch
+Patch222:             httpd-2.4.37-CVE-2021-44224.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2064321
-Patch223: httpd-2.4.37-CVE-2022-22720.patch
+Patch223:             httpd-2.4.37-CVE-2022-22720.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1966738
-Patch224: httpd-2.4.37-CVE-2020-13950.patch
+Patch224:             httpd-2.4.37-CVE-2020-13950.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2064322
-Patch225: httpd-2.4.37-CVE-2022-22719.patch
+Patch225:             httpd-2.4.37-CVE-2022-22719.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2064320
-Patch226: httpd-2.4.37-CVE-2022-22721.patch
+Patch226:             httpd-2.4.37-CVE-2022-22721.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2065324
-Patch227: httpd-2.4.37-CVE-2022-23943.patch
+Patch227:             httpd-2.4.37-CVE-2022-23943.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2095002
-Patch228: httpd-2.4.37-CVE-2022-28614.patch
+Patch228:             httpd-2.4.37-CVE-2022-28614.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2095006
-Patch229: httpd-2.4.37-CVE-2022-28615.patch
+Patch229:             httpd-2.4.37-CVE-2022-28615.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2095015
-Patch230: httpd-2.4.37-CVE-2022-30522.patch
+Patch230:             httpd-2.4.37-CVE-2022-30522.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2095018
-Patch231: httpd-2.4.37-CVE-2022-30556.patch
+Patch231:             httpd-2.4.37-CVE-2022-30556.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2095020
-Patch232: httpd-2.4.37-CVE-2022-31813.patch
+Patch232:             httpd-2.4.37-CVE-2022-31813.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2095012
-Patch233: httpd-2.4.37-CVE-2022-29404.patch
+Patch233:             httpd-2.4.37-CVE-2022-29404.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2094997
-Patch234: httpd-2.4.37-CVE-2022-26377.patch
+Patch234:             httpd-2.4.37-CVE-2022-26377.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2161773
-Patch235: httpd-2.4.37-CVE-2022-37436.patch
+Patch235:             httpd-2.4.37-CVE-2022-37436.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2161774
-Patch236: httpd-2.4.37-CVE-2006-20001.patch
+Patch236:             httpd-2.4.37-CVE-2006-20001.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2161777
-Patch237: httpd-2.4.37-CVE-2022-36760.patch
+Patch237:             httpd-2.4.37-CVE-2022-36760.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2176209
-Patch238: httpd-2.4.37-CVE-2023-25690.patch
+Patch238:             httpd-2.4.37-CVE-2023-25690.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2176211
-Patch239: httpd-2.4.37-CVE-2023-27522.patch
+Patch239:             httpd-2.4.37-CVE-2023-27522.patch
 # https://issues.redhat.com/browse/RHEL-14448
-Patch240: httpd-2.4.37-CVE-2023-31122.patch
+Patch240:             httpd-2.4.37-CVE-2023-31122.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2273491
-Patch241: httpd-2.4.37-CVE-2023-38709.patch
+Patch241:             httpd-2.4.37-CVE-2023-38709.patch
 # CVE-2024-38474 and CVE-2024-38475 fixed in one patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295013
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295014
-Patch242: httpd-2.4.37-CVE-2024-38474+.patch
+Patch242:             httpd-2.4.37-CVE-2024-38474+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295012
-Patch243: httpd-2.4.37-CVE-2024-38473.patch
+Patch243:             httpd-2.4.37-CVE-2024-38473.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295016
-Patch244: httpd-2.4.37-CVE-2024-38477.patch
+Patch244:             httpd-2.4.37-CVE-2024-38477.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295022
-Patch245: httpd-2.4.37-CVE-2024-39573.patch
+Patch245:             httpd-2.4.37-CVE-2024-39573.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295015
-Patch246: httpd-2.4.37-CVE-2024-38476.patch
+Patch246:             httpd-2.4.37-CVE-2024-38476.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2297362
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295761
-Patch247: httpd-2.4.37-CVE-2024-39884+.patch
+Patch247:             httpd-2.4.37-CVE-2024-39884+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2374576
-Patch248: httpd-2.4.37-CVE-2025-23048.patch
+Patch248:             httpd-2.4.37-CVE-2025-23048.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2374571
-Patch249: httpd-2.4.37-CVE-2024-47252.patch
+Patch249:             httpd-2.4.37-CVE-2024-47252.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2374580
-Patch250: httpd-2.4.37-CVE-2025-49812.patch
+Patch250:             httpd-2.4.37-CVE-2025-49812.patch
+# CVE-2025-23048 follow-up
+# https://github.com/apache/httpd/pull/561
+# https://bz.apache.org/bugzilla/show_bug.cgi?id=69743
+Patch251:             httpd-2.4.37-sslvhostsnipolicy.patch
 
 # Add by Anolis
 Patch1000: 1000-httpd-anolis-rebrand.patch
 Patch1001: 1001-httpd-anolis-support-loongarch64.patch
-Patch2000: httpd-2.4.37-sw.patch
+Patch2000: 1002-httpd-2.4.37-sw.patch
 # End
 
 License:              ASL 2.0
@@ -316,17 +322,17 @@ Requires(pre): httpd-filesystem
 Requires(preun): systemd-units
 Requires(postun): systemd-units
 Requires(post): systemd-units
-Conflicts: apr < 1.5.0-1
+Conflicts:            apr < 1.5.0-1
 
 %description
 The Apache HTTP Server is a powerful, efficient, and extensible
 web server.
 
 %package devel
-Group: Development/Libraries
-Summary: Development interfaces for the Apache HTTP server
-Requires: apr-devel, apr-util-devel, pkgconfig
-Requires: httpd = %{version}-%{release}
+Group:                Development/Libraries
+Summary:              Development interfaces for the Apache HTTP server
+Requires:             apr-devel, apr-util-devel, pkgconfig
+Requires:             httpd = %{version}-%{release}
 
 %description devel
 The httpd-devel package contains the APXS binary and other files
@@ -338,11 +344,11 @@ able to compile or develop additional modules for Apache, you need
 to install this package.
 
 %package manual
-Group: Documentation
-Summary: Documentation for the Apache HTTP server
-Requires: httpd = %{version}-%{release}
-Obsoletes: secureweb-manual, apache-manual
-BuildArch: noarch
+Group:                Documentation
+Summary:              Documentation for the Apache HTTP server
+Requires:             httpd = %{version}-%{release}
+Obsoletes:            secureweb-manual, apache-manual
+BuildArch:            noarch
 
 %description manual
 The httpd-manual package contains the complete manual and
@@ -350,9 +356,9 @@ reference guide for the Apache HTTP server. The information can
 also be found at http://httpd.apache.org/docs/2.2/.
 
 %package filesystem
-Group: System Environment/Daemons
-Summary: The basic directory layout for the Apache HTTP server
-BuildArch: noarch
+Group:                System Environment/Daemons
+Summary:              The basic directory layout for the Apache HTTP server
+BuildArch:            noarch
 Requires(pre): /usr/sbin/useradd
 
 %description filesystem
@@ -361,24 +367,24 @@ for the Apache HTTP server including the correct permissions
 for the directories.
 
 %package tools
-Group: System Environment/Daemons
-Summary: Tools for use with the Apache HTTP Server
+Group:                System Environment/Daemons
+Summary:              Tools for use with the Apache HTTP Server
 
 %description tools
 The httpd-tools package contains tools which can be used with 
 the Apache HTTP Server.
 
 %package -n mod_ssl
-Group: System Environment/Daemons
-Summary: SSL/TLS module for the Apache HTTP Server
-Epoch: 1
-BuildRequires: openssl-devel
+Group:                System Environment/Daemons
+Summary:              SSL/TLS module for the Apache HTTP Server
+Epoch:                1
+BuildRequires:        openssl-devel
 Requires(pre): httpd-filesystem
-Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
-Requires: sscg >= 3.0.0-7, /usr/bin/hostname
-Obsoletes: stronghold-mod_ssl
+Requires:             httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
+Requires:             sscg >= 3.0.0-7, /usr/bin/hostname
+Obsoletes:            stronghold-mod_ssl
 # Require an OpenSSL which supports PROFILE=SYSTEM
-Conflicts: openssl-libs < 1:1.0.1h-4
+Conflicts:            openssl-libs < 1:1.0.1h-4
 
 %description -n mod_ssl
 The mod_ssl module provides strong cryptography for the Apache Web
@@ -386,31 +392,31 @@ server via the Secure Sockets Layer (SSL) and Transport Layer
 Security (TLS) protocols.
 
 %package -n mod_proxy_html
-Group: System Environment/Daemons
-Summary: HTML and XML content filters for the Apache HTTP Server
-Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
-BuildRequires: libxml2-devel
-Epoch: 1
-Obsoletes: mod_proxy_html < 1:2.4.1-2
+Group:                System Environment/Daemons
+Summary:              HTML and XML content filters for the Apache HTTP Server
+Requires:             httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
+BuildRequires:        libxml2-devel
+Epoch:                1
+Obsoletes:            mod_proxy_html < 1:2.4.1-2
 
 %description -n mod_proxy_html
 The mod_proxy_html and mod_xml2enc modules provide filters which can
 transform and modify HTML and XML content.
 
 %package -n mod_ldap
-Group: System Environment/Daemons
-Summary: LDAP authentication modules for the Apache HTTP Server
-Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
-Requires: apr-util-ldap
+Group:                System Environment/Daemons
+Summary:              LDAP authentication modules for the Apache HTTP Server
+Requires:             httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
+Requires:             apr-util-ldap
 
 %description -n mod_ldap
 The mod_ldap and mod_authnz_ldap modules add support for LDAP
 authentication to the Apache HTTP Server.
 
 %package -n mod_session
-Group: System Environment/Daemons
-Summary: Session interface for the Apache HTTP Server
-Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
+Group:                System Environment/Daemons
+Summary:              Session interface for the Apache HTTP Server
+Requires:             httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
 
 %description -n mod_session
 The mod_session module and associated backends provide an abstract
@@ -534,6 +540,7 @@ interface for storing and accessing per-user session data.
 %patch248 -p1 -b .CVE-2025-23048
 %patch249 -p1 -b .CVE-2024-47252
 %patch250 -p1 -b .CVE-2025-49812
+%patch251 -p1 -b .sslvhostsnipolicy
 # Add by Anolis
 %patch1000 -p1
 %patch1001 -p1
@@ -585,7 +592,7 @@ xmlto man $RPM_SOURCE_DIR/htcacheclean.service.xml
 xmlto man $RPM_SOURCE_DIR/httpd.service.xml
 
 : Building with MMN %{mmn}, MMN-ISA %{mmnisa}
-: Default MPM is %{mpm}, vendor string is '%{vstring}'
+: Default MPM is %{mpm}, vendor string is '%{vstring}', prefix is '%{vprefix}'
 
 %build
 # forcibly prevent use of bundled apr, apr-util, pcre
@@ -687,10 +694,12 @@ mkdir $RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d
 install -m 644 -p $RPM_SOURCE_DIR/10-listen443.conf \
       $RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d/10-listen443.conf
 
-for f in welcome.conf ssl.conf manual.conf userdir.conf; do
+for f in welcome.conf ssl.conf manual.conf userdir.conf snipolicy.conf; do
   install -m 644 -p $RPM_SOURCE_DIR/$f \
         $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/$f
 done
+mv $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/snipolicy.conf \
+   $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/%{vprefix}-snipolicy.conf
 
 # Split-out extra config shipped as default in conf.d:
 for f in autoindex; do
@@ -923,6 +932,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/*.conf
 %exclude %{_sysconfdir}/httpd/conf.d/ssl.conf
+%exclude %{_sysconfdir}/httpd/conf.d/*snipolicy.conf
 %exclude %{_sysconfdir}/httpd/conf.d/manual.conf
 
 %dir %{_sysconfdir}/httpd/conf.modules.d
@@ -1011,6 +1021,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/httpd/modules/mod_ssl.so
 %config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/00-ssl.conf
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/*snipolicy.conf
 %attr(0700,apache,root) %dir %{_localstatedir}/cache/httpd/ssl
 %{_unitdir}/httpd-init.service
 %{_libexecdir}/httpd-ssl-pass-dialog
@@ -1046,13 +1057,18 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
-* Tue Sep 09 2025 zhangbinchen <zhangbinchen@openanolis.org> - 2.4.37-65.0.1.5
+* Mon Dec 22 2025 zhangbinchen <zhangbinchen@openanolis.org> - 2.4.37-65.0.1.6
 - Rebrand for Anolis OS
 - Requires system-logos-httpd
 - Support loongarch64 platform(Liwei Ge)
   cherry-pick `add sw patch #400077d851a81ce23aa39db271e26c3df254ae53`. (nijie@wxiat.com)
   cherry-pick `change sw patch #bdacf2efe00d8445328f798df8c5520728801e8c`. (nijie@wxiat.com)
 
+* Fri Nov 07 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.6
+- Resolves: RHEL-127073 - mod_ssl: allow more fine grained SSL SNI vhost check
+  to avoid unnecessary 421 errors after CVE-2025-23048 fix
+- mod_ssl: add conf.d/snipolicy.conf to set 'SSLVHostSNIPolicy authonly' default
+
 * Mon Jul 28 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.5
 - Resolves: RHEL-99944 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade
 - Resolves: RHEL-99969 - CVE-2024-47252 httpd: insufficient escaping of
diff --git a/snipolicy.conf b/snipolicy.conf
new file mode 100644
index 0000000000000000000000000000000000000000..48d44f9a7b62283c0aec3502d8b2a582cfa2e482
--- /dev/null
+++ b/snipolicy.conf
@@ -0,0 +1,15 @@
+#
+# Vendor override: Set the default SNI virtual host policy to "authonly"
+# to preserve compatibility between virtual hosts which differ only in
+# certificate or key configuration. This overrides the hard-coded
+# mod_ssl default mode of "secure".
+#
+# See the directive documentation for more information:
+# https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslvhostsnipolicy
+#
+# NOTE: if this file is removed, it will be restored on upgrades.
+# To disable the override, comment-out the lines below.
+#
+<IfDirective SSLVHostSNIPolicy>
+  SSLVHostSNIPolicy authonly
+</IfDirective>