@@ -341,7 +341,7 @@ type Listener struct {
341341 // The semantics of this are described in more detail below.
342342 //
343343 // To ensure security, Section 11.1 of RFC-6066 emphasizes that server
344- // implementations that rely on SNI hostnames matching must also verify
344+ // implementations that rely on SNI hostname matching MUST also verify
345345 // hostnames within the application protocol.
346346 //
347347 // Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the
@@ -351,12 +351,16 @@ type Listener struct {
351351 //
352352 // To detect misdirected requests, Gateways SHOULD match the authority of
353353 // the requests with all the SNI hostname(s) configured across all the
354- // Gateway Listeners on the same port:
354+ // Gateway Listeners on the same port and protocol :
355355 //
356356 // * If another Listener has an exact match or more specific wildcard entry,
357- // the Gateway should return a 421.
358- // * If the current Listener doesn’t match the SNI or Host, the reverse
359- // proxy should return a 421.
357+ // the Gateway SHOULD return a 421.
358+ // * If the current Listener (selected by SNI matching during ClientHello)
359+ // does not match the Host:
360+ // * If another Listener does match the Host the Gateway SHOULD return a
361+ // 421.
362+ // * If no other Listener matches the Host, the Gateway MUST return a
363+ // 404.
360364 //
361365 // For HTTPRoute and TLSRoute resources, there is an interaction with the
362366 // `spec.hostnames` array. When both listener and route specify hostnames,
@@ -1297,11 +1301,11 @@ const (
12971301 // SAN for foo.example.com.
12981302 //
12991303 // This overlapping TLS configuration can be particularly problematic when
1300- // combined with connection coalescing. When client reuse connections using
1301- // this technique, it can have confusing interactions with Gateway API, such
1302- // as TLS configuration for one Listener getting used for a request reusing
1303- // an existing connection that would not be used for the request using a new
1304- // connection.
1304+ // combined with HTTP connection coalescing. When clients reuse connections
1305+ // using this technique, it can have confusing interactions with Gateway
1306+ // API, such as TLS configuration for one Listener getting used for a
1307+ // request reusing an existing connection that would not be used if the same
1308+ // request was initiating a new connection.
13051309 //
13061310 // Controllers MUST detect the presence of overlapping hostnames and MAY
13071311 // detect the presence of overlapping certificates.
@@ -1322,6 +1326,9 @@ const (
13221326 // * "OverlappingHostnames"
13231327 // * "OverlappingCertificates"
13241328 //
1329+ // If a controller supports checking for both possible reasons and finds
1330+ // that both are true, it SHOULD set the "OverlappingCertificates" Reason.
1331+ //
13251332 // This is a negative polarity condition and MUST NOT be set when it is
13261333 // False.
13271334 //
0 commit comments