You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2009/04/25 22:15:49 UTC
svn commit: r768596 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml
modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c
modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Author: rpluem
Date: Sat Apr 25 20:15:49 2009
New Revision: 768596
URL: http://svn.apache.org/viewvc?rev=768596&view=rev
Log:
* Add SSLStrictSNIVHostCheck to allow / disallow non SNI clients to connect to
name based virtual hosts.
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/modules/ssl/mod_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=768596&r1=768595&r2=768596&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Sat Apr 25 20:15:49 2009
@@ -1354,6 +1354,37 @@
</directivesynopsis>
<directivesynopsis>
+<name>SSLStrictSNIVHostCheck</name>
+<description>Whether to allow non SNI clients to access a name based virtual
+host.
+</description>
+<syntax>SSLStrictSNIVHostCheck on|off</syntax>
+<default>SSLStrictSNIVHostCheck off</default>
+<contextlist><context>server config</context>
+<context>virtual host</context></contextlist>
+
+<usage>
+<p>
+This directive sets whether a non SNI client is allowed to access a name based
+virtual host. If set to <code>on</code> in the non default name based virtual
+host, non SNI clients are not allowed to access this particular virtual host.
+If set to <code>on</code> in the default name based virtual host, non SNI
+clients are not allowed to access any name based virtual host belonging to
+this IP / port combination.
+</p>
+
+<note type="warning"><p>
+This option is only available if httpd was compiled against an SNI capable
+version of OpenSSL.
+</p></note>
+
+<example><title>Example</title>
+SSLStrictSNIVHostCheck on
+</example>
+</usage>
+</directivesynopsis>
+
+<directivesynopsis>
<name>SSLProxyMachineCertificatePath</name>
<description>Directory of PEM-encoded client certificates and keys to be used by the proxy</description>
<syntax>SSLProxyMachineCertificatePath <em>directory</em></syntax>
Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=768596&r1=768595&r2=768596&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Sat Apr 25 20:15:49 2009
@@ -129,6 +129,10 @@
SSL_CMD_SRV(LogLevelDebugDump, TAKE1,
"Include I/O Dump when LogLevel is set to Debug "
"([ None (default) | IO (not bytes) | Bytes ])")
+#ifndef OPENSSL_NO_TLSEXT
+ SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
+ "Strict SNI virtual host checking")
+#endif
/*
* Proxy configuration for remote SSL connections
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=768596&r1=768595&r2=768596&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Sat Apr 25 20:15:49 2009
@@ -175,6 +175,9 @@
sc->ssl_log_level = SSL_LOG_UNSET;
sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET;
+#ifndef OPENSSL_NO_TLSEXT
+ sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
+#endif
modssl_ctx_init_proxy(sc, p);
@@ -270,6 +273,9 @@
cfgMerge(ssl_log_level, SSL_LOG_UNSET);
cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
+#ifndef OPENSSL_NO_TLSEXT
+ cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
+#endif
modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
@@ -1440,6 +1446,17 @@
return NULL;
}
+#ifndef OPENSSL_NO_TLSEXT
+const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+ sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
+
+ return NULL;
+}
+#endif
+
void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
{
if (!ap_exists_config_define("DUMP_CERTS")) {
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=768596&r1=768595&r2=768596&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sat Apr 25 20:15:49 2009
@@ -186,10 +186,16 @@
return HTTP_BAD_REQUEST;
}
}
- else if (r->connection->vhost_lookup_data) {
+ else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
+ || (mySrvConfig(sslconn->server))->strict_sni_vhost_check
+ == SSL_ENABLED_TRUE)
+ && r->connection->vhost_lookup_data) {
/*
* We are using a name based configuration here, but no hostname was
- * provided via SNI. Don't allow that.
+ * provided via SNI. Don't allow that if are requested to do strict
+ * checking. Check wether this strict checking was setup either in the
+ * server config we used for handshaking or in our current server.
+ * This should avoid insecure configuration by accident.
*/
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"No hostname was provided via SNI for a name based"
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=768596&r1=768595&r2=768596&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sat Apr 25 20:15:49 2009
@@ -479,6 +479,9 @@
ssl_log_level_e ssl_log_level;
ssl_enabled_t proxy_ssl_check_peer_expire;
ssl_enabled_t proxy_ssl_check_peer_cn;
+#ifndef OPENSSL_NO_TLSEXT
+ ssl_enabled_t strict_sni_vhost_check;
+#endif
};
/**
@@ -544,6 +547,9 @@
const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
+#ifndef OPENSSL_NO_TLSEXT
+const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
+#endif
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);