You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2014/03/02 21:21:23 UTC
svn commit: r1573362 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS
modules/ssl/ssl_engine_kernel.c
Author: jim
Date: Sun Mar 2 20:21:23 2014
New Revision: 1573362
URL: http://svn.apache.org/r1573362
Log:
Merge r1553204, r1555240, r1572198 from trunk:
* Do not perform SNI / Host header comparison in case of a forward proxy request as
in case of a forward proxy request the host header can not be used for virtual
host selection in our webserver.
* Update comment. No functional change.
* Put a note in CHANGES about r1553204
Submitted by: rpluem
Reviewed/backported by: jim
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1553204,1555240,1572198
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1573362&r1=1573361&r2=1573362&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Sun Mar 2 20:21:23 2014
@@ -2,6 +2,9 @@
Changes with Apache 2.4.8
+ *) mod_ssl: Do not perform SNI / Host header comparison in case of a
+ forward proxy request. [Ruediger Pluem]
+
*) mod_ssl: Remove the hardcoded algorithm-type dependency for the
SSLCertificateFile and SSLCertificateKeyFile directives, to enable
future algorithm agility, and deprecate the SSLCertificateChainFile
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1573362&r1=1573361&r2=1573362&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Sun Mar 2 20:21:23 2014
@@ -98,30 +98,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: Remove the hardcoded algorithm-type dependency for the
- SSLCertificateFile and SSLCertificateKeyFile directives, and deprecate
- SSLCertificateChainFile. A detailed list of the changes is included
- at the beginning of the 2.4.x patch (from the original trunk commit logs)
- trunk patches: https://svn.apache.org/r1546804
- https://svn.apache.org/r1553824
- https://svn.apache.org/r1554192
- https://svn.apache.org/r1555463
- https://svn.apache.org/r1555467
- https://svn.apache.org/r1563417
- https://svn.apache.org/r1564760
- https://svn.apache.org/r1565081
- 2.4.x patch: https://people.apache.org/~kbrand/mod_ssl-2.4.x-certkeyfile-v3.diff
- +1: kbrand, ylavic, drh
-
- * mod_ssl: Do not perform SNI / Host header comparison in case of a
- forward proxy request.
- Trunk version of patch:
- http://svn.apache.org/r1553204
- http://svn.apache.org/r1555240
- http://svn.apache.org/r1572198
- Backport version for 2.4.x of patch:
- Trunk version of patch works (modulo CHANGES)
- +1: rpluem, jim, kbrand
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1573362&r1=1573361&r2=1573362&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Sun Mar 2 20:21:23 2014
@@ -163,47 +163,58 @@ int ssl_hook_ReadReq(request_rec *r)
return DECLINED;
}
#ifdef HAVE_TLSEXT
- if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
- char *host, *scope_id;
- apr_port_t port;
- apr_status_t rv;
-
- /*
- * The SNI extension supplied a hostname. So don't accept requests
- * with either no hostname or a different hostname.
- */
- if (!r->hostname) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02031)
- "Hostname %s provided via SNI, but no hostname"
- " provided in HTTP request", servername);
- return HTTP_BAD_REQUEST;
- }
- rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
- if (rv != APR_SUCCESS || scope_id) {
- return HTTP_BAD_REQUEST;
- }
- if (strcasecmp(host, servername)) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
- "Hostname %s provided via SNI and hostname %s provided"
- " via HTTP are different", servername, host);
- return HTTP_BAD_REQUEST;
- }
- }
- else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
- || (mySrvConfig(sslconn->server))->strict_sni_vhost_check
- == SSL_ENABLED_TRUE)
- && r->connection->vhost_lookup_data) {
- /*
- * We are using a name based configuration here, but no hostname was
- * provided via SNI. Don't allow that if are requested to do strict
- * checking. Check wether this strict checking was setup either in the
- * server config we used for handshaking or in our current server.
- * This should avoid insecure configuration by accident.
- */
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02033)
- "No hostname was provided via SNI for a name based"
- " virtual host");
- return HTTP_FORBIDDEN;
+ if (r->proxyreq != PROXYREQ_PROXY) {
+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+ char *host, *scope_id;
+ apr_port_t port;
+ apr_status_t rv;
+
+ /*
+ * The SNI extension supplied a hostname. So don't accept requests
+ * with either no hostname or a different hostname as this could
+ * cause us to end up in a different virtual host as the one that
+ * was used for the handshake causing different SSL parameters to
+ * be applied as SSLProtocol, SSLCACertificateFile/Path and
+ * SSLCADNRequestFile/Path cannot be renegotioated (SSLCA* due
+ * to current limitiations in Openssl, see
+ * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3C48592955.2090303@velox.ch%3E
+ * and
+ * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E
+ * )
+ */
+ if (!r->hostname) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02031)
+ "Hostname %s provided via SNI, but no hostname"
+ " provided in HTTP request", servername);
+ return HTTP_BAD_REQUEST;
+ }
+ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
+ if (rv != APR_SUCCESS || scope_id) {
+ return HTTP_BAD_REQUEST;
+ }
+ if (strcasecmp(host, servername)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
+ "Hostname %s provided via SNI and hostname %s provided"
+ " via HTTP are different", servername, host);
+ return HTTP_BAD_REQUEST;
+ }
+ }
+ else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
+ || (mySrvConfig(sslconn->server))->strict_sni_vhost_check
+ == SSL_ENABLED_TRUE)
+ && r->connection->vhost_lookup_data) {
+ /*
+ * We are using a name based configuration here, but no hostname was
+ * provided via SNI. Don't allow that if are requested to do strict
+ * checking. Check wether this strict checking was setup either in the
+ * server config we used for handshaking or in our current server.
+ * This should avoid insecure configuration by accident.
+ */
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02033)
+ "No hostname was provided via SNI for a name based"
+ " virtual host");
+ return HTTP_FORBIDDEN;
+ }
}
#endif
SSL_set_app_data2(ssl, r);