From fa7322365a22e82b1d37696d09d3bb264907fdc9 Mon Sep 17 00:00:00 2001
From: Daniel Santos <dasanto2@cisco.com>
Date: Thu, 27 Feb 2020 19:37:19 -0700
Subject: [PATCH] Only enforces SNI matching if ClientAuth is enabled (#3096)

---
 caddyhttp/httpserver/server.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/caddyhttp/httpserver/server.go b/caddyhttp/httpserver/server.go
index 3dc5c9d9d..30a25919e 100644
--- a/caddyhttp/httpserver/server.go
+++ b/caddyhttp/httpserver/server.go
@@ -448,6 +448,7 @@ func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) (int, error)
 	// sites that rely on TLS ClientAuth sharing a port with
 	// sites that do not - if mismatched, close the connection
 	if !vhost.TLS.InsecureDisableSNIMatching && r.TLS != nil &&
+		vhost.TLS.ClientAuth != tls.NoClientCert &&
 		strings.ToLower(r.TLS.ServerName) != strings.ToLower(hostname) {
 		r.Close = true
 		log.Printf("[ERROR] %s - strict host matching: SNI (%s) and HTTP Host (%s) values differ",