You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ruediger Pluem <rp...@apache.org> on 2009/05/04 21:22:51 UTC
Re: svn commit: r768504 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h
On 04/25/2009 11:50 AM, rpluem@apache.org wrote:
> Author: rpluem
> Date: Sat Apr 25 09:50:27 2009
> New Revision: 768504
>
> URL: http://svn.apache.org/viewvc?rev=768504&view=rev
> Log:
> Backport of r760866:
>
> * Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable
> stricter checking of remote server certificates.
>
> (docs/manual/mod/mod_ssl.xml)
> Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
>
> (modules/proxy/mod_proxy_http.c)
> Set the hostname of the request URL as note on the connection.
>
> (modules/ssl/ssl_private.h)
> Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
> the SSLSrvConfigRec.
>
> (modules/ssl/ssl_engine_config.c)
> Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
>
> (modules/ssl/ssl_engine_io.c)
> Check whether the remote servers certificate is expired / if there is a
> mismatch between the requested hostanme and the remote server certificates
> CN field.
> Be able to parse ASN1 times.
>
> (modules/ssl/mod_ssl.c)
> Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
>
> Submitted by: rpluem
> Reviewed by: rpluem, jim, jfclere
>
> Modified:
> httpd/httpd/branches/2.2.x/CHANGES
> httpd/httpd/branches/2.2.x/STATUS
> httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
> httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c
> httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
> httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
> httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
> httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
>
During my work on the SNI backport I noticed that during my preparation of
the backport patch for this proposal one import line fell through the cracks
that was contained in r760866.
The following patch would fix this missing initialization:
Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c (revision 771213)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -1060,6 +1060,7 @@
if (sslconn->is_proxy) {
const char *hostname_note;
+ sc = mySrvConfig(sslconn->server);
if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL Proxy connect failed");
Can I just correct this error and fix it in 2.2.x?
Regards
RĂ¼diger
Re: svn commit: r768504 - in /httpd/httpd/branches/2.2.x: CHANGES
STATUS docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h
Posted by Ruediger Pluem <rp...@apache.org>.
On 05/04/2009 10:29 PM, Roy T. Fielding wrote:
> On May 4, 2009, at 12:22 PM, Ruediger Pluem wrote:
>> During my work on the SNI backport I noticed that during my
>> preparation of
>> the backport patch for this proposal one import line fell through the
>> cracks
>> that was contained in r760866.
>>
>> The following patch would fix this missing initialization:
>>
>> Index: modules/ssl/ssl_engine_io.c
>> ===================================================================
>> --- modules/ssl/ssl_engine_io.c (revision 771213)
>> +++ modules/ssl/ssl_engine_io.c (working copy)
>> @@ -1060,6 +1060,7 @@
>> if (sslconn->is_proxy) {
>> const char *hostname_note;
>>
>> + sc = mySrvConfig(sslconn->server);
>> if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
>> ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
>> "SSL Proxy connect failed");
>>
>>
>>
>> Can I just correct this error and fix it in 2.2.x?
>
> Yes, just fix it.
Thanks. Sorry for the confusion I create now, but I now
find out that this line *must* be part of the SNI backport
proposal that I am currently working on and not part of this
backport. What confused me and created my messy question was
that r760866 was a backport of code that was committed to trunk
*after* some parts of the SNI code and this line in trunk is
actually the right and needed thing to do with the SNI patches
applied, but not without.
Hope that I will be less confusing next time :-).
Regards
RĂ¼diger
Re: svn commit: r768504 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
On May 4, 2009, at 12:22 PM, Ruediger Pluem wrote:
> During my work on the SNI backport I noticed that during my
> preparation of
> the backport patch for this proposal one import line fell through
> the cracks
> that was contained in r760866.
>
> The following patch would fix this missing initialization:
>
> Index: modules/ssl/ssl_engine_io.c
> ===================================================================
> --- modules/ssl/ssl_engine_io.c (revision 771213)
> +++ modules/ssl/ssl_engine_io.c (working copy)
> @@ -1060,6 +1060,7 @@
> if (sslconn->is_proxy) {
> const char *hostname_note;
>
> + sc = mySrvConfig(sslconn->server);
> if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
> ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
> "SSL Proxy connect failed");
>
>
>
> Can I just correct this error and fix it in 2.2.x?
Yes, just fix it.
....Roy