You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2014/07/14 02:22:16 UTC
svn commit: r1610326 - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS
modules/ssl/ssl_engine_kernel.c
Author: trawick
Date: Mon Jul 14 00:22:15 2014
New Revision: 1610326
URL: http://svn.apache.org/r1610326
Log:
mod_ssl: Fix issue with redirects to error documents when handling
SNI errors.
Submitted by: trawick
Reviewed by: minfrin, rjung
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/STATUS
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1609914
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1610326&r1=1610325&r2=1610326&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jul 14 00:22:15 2014
@@ -2,6 +2,9 @@
Changes with Apache 2.4.10
+ *) mod_ssl: Fix issue with redirects to error documents when handling
+ SNI errors. [Jeff Trawick]
+
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys and support up to 8192-bit keys. [Ruediger Pluem,
Joe Orton]
Modified: httpd/httpd/branches/2.4.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1610326&r1=1610325&r2=1610326&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/STATUS (original)
+++ httpd/httpd/branches/2.4.x/STATUS Mon Jul 14 00:22:15 2014
@@ -122,12 +122,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
ylavic: does not depend on r1572092 or r1572655 and al above,
these proposals can be backported in any order.
- * mod_ssl: Fix issue with redirects to error documents when handling
- SNI errors.
- trunk patch: http://svn.apache.org/r1609914
- 2.4.x patch: Trunk patch works modulo CHANGES.
- +1: trawick, minfrin, rjung
-
* mod_ssl: Set an error note for requests rejected due to
SSLStrictSNIVHostCheck
trunk patch: http://svn.apache.org/r1609936
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1610326&r1=1610325&r2=1610326&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Mon Jul 14 00:22:15 2014
@@ -163,7 +163,13 @@ int ssl_hook_ReadReq(request_rec *r)
return DECLINED;
}
#ifdef HAVE_TLSEXT
- if (r->proxyreq != PROXYREQ_PROXY) {
+ /*
+ * Perform SNI checks only on the initial request. In particular,
+ * if these checks detect a problem, the checks shouldn't return an
+ * error again when processing an ErrorDocument redirect for the
+ * original problem.
+ */
+ if (r->proxyreq != PROXYREQ_PROXY && ap_is_initial_req(r)) {
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
char *host, *scope_id;
apr_port_t port;