You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2012/09/21 17:10:13 UTC
svn commit: r1388547 - in /httpd/httpd/branches/2.4.x: ./ CHANGES
modules/ssl/ssl_engine_io.c
Author: jim
Date: Fri Sep 21 15:10:12 2012
New Revision: 1388547
URL: http://svn.apache.org/viewvc?rev=1388547&view=rev
Log:
Merge r1375584 from trunk:
* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a
wildcard common name match.
PR: 53006
Submitted by: jorton
Reviewed/backported by: jim
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1375584
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1388547&r1=1388546&r2=1388547&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Sep 21 15:10:12 2012
@@ -2,11 +2,13 @@
Changes with Apache 2.4.4
+ *) mod_ssl: Match wildcard SSL certificate names in proxy mode.
+ PR 53006. [Joe Orton]
+
*) Windows: Fix output of -M, -L, and similar command-line options
which display information about the server configuration.
[Jeff Trawick]
-
Changes with Apache 2.4.3
*) SECURITY: CVE-2012-3502 (cve.mitre.org)
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c?rev=1388547&r1=1388546&r2=1388547&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c Fri Sep 21 15:10:12 2012
@@ -1112,11 +1112,22 @@ static apr_status_t ssl_io_filter_handsh
if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
hostname_note) {
const char *hostname;
+ int match = 0;
hostname = ssl_var_lookup(NULL, server, c, NULL,
"SSL_CLIENT_S_DN_CN");
apr_table_unset(c->notes, "proxy-request-hostname");
- if (strcasecmp(hostname, hostname_note)) {
+
+ /* Do string match or simplest wildcard match if that
+ * fails. */
+ match = strcasecmp(hostname, hostname_note) == 0;
+ if (!match && strncmp(hostname, "*.", 2) == 0) {
+ const char *p = ap_strchr_c(hostname_note, '.');
+
+ match = p && strcasecmp(p, hostname + 1) == 0;
+ }
+
+ if (!match) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005)
"SSL Proxy: Peer certificate CN mismatch:"
" Certificate CN: %s Requested hostname: %s",