You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2009/03/23 11:51:02 UTC
svn commit: r757373 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Author: rpluem
Date: Mon Mar 23 10:51:00 2009
New Revision: 757373
URL: http://svn.apache.org/viewvc?rev=757373&view=rev
Log:
* If the SNI extension supplied a hostname. So don't accept requests with
either no hostname or a different hostname.
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757373&r1=757372&r2=757373&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 10:51:00 2009
@@ -160,11 +160,31 @@
return DECLINED;
}
#ifndef OPENSSL_NO_TLSEXT
- if (!r->hostname &&
- (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
- /* Use the SNI extension as the hostname if no Host: header was sent */
- r->hostname = apr_pstrdup(r->pool, servername);
- ap_update_vhost_from_headers(r);
+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+ char *host, *scope_id;
+ apr_port_t port;
+ apr_status_t rv;
+
+ /*
+ * The SNI extension supplied a hostname. So don't accept requests
+ * with either no hostname or a different hostname.
+ */
+ if (!r->hostname) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Hostname %s provided via SNI, but no hostname"
+ " provided in HTTP request", servername);
+ return HTTP_BAD_REQUEST;
+ }
+ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
+ if (rv != APR_SUCCESS || scope_id) {
+ return HTTP_BAD_REQUEST;
+ }
+ if (strcmp(host, servername)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Hostname %s provided via SNI and hostname %s provided"
+ " via HTTP are different", servername, host);
+ return HTTP_BAD_REQUEST;
+ }
}
#endif
SSL_set_app_data2(ssl, r);
Re: svn commit: r757373 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Posted by Paul Querna <pa...@querna.org>.
On Mon, Mar 23, 2009 at 11:56 AM, Paul Querna <pa...@querna.org> wrote:
> On Mon, Mar 23, 2009 at 11:51 AM, <rp...@apache.org> wrote:
>> Author: rpluem
>> Date: Mon Mar 23 10:51:00 2009
>> New Revision: 757373
>>
>> URL: http://svn.apache.org/viewvc?rev=757373&view=rev
>> Log:
>> * If the SNI extension supplied a hostname. So don't accept requests with
>> either no hostname or a different hostname.
>>
>> Modified:
>> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757373&r1=757372&r2=757373&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 10:51:00 2009
>> @@ -160,11 +160,31 @@
>> return DECLINED;
>> }
>> #ifndef OPENSSL_NO_TLSEXT
>> - if (!r->hostname &&
>> - (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
>> - /* Use the SNI extension as the hostname if no Host: header was sent */
>> - r->hostname = apr_pstrdup(r->pool, servername);
>> - ap_update_vhost_from_headers(r);
>> + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
>> + char *host, *scope_id;
>> + apr_port_t port;
>> + apr_status_t rv;
>> +
>> + /*
>> + * The SNI extension supplied a hostname. So don't accept requests
>> + * with either no hostname or a different hostname.
>> + */
>> + if (!r->hostname) {
>> + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
>> + "Hostname %s provided via SNI, but no hostname"
>> + " provided in HTTP request", servername);
>> + return HTTP_BAD_REQUEST;
>> + }
>> + rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
>> + if (rv != APR_SUCCESS || scope_id) {
>> + return HTTP_BAD_REQUEST;
>> + }
>> + if (strcmp(host, servername)) {
>> + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
>> + "Hostname %s provided via SNI and hostname %s provided"
>> + " via HTTP are different", servername, host);
>> + return HTTP_BAD_REQUEST;
>> + }
>
> shouldn't this be ap_strcasecmp_match instead of strcmp?
sorry, host and servername are both full names, not wildcards, so this
is fine....
Re: svn commit: r757373 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Posted by Paul Querna <pa...@querna.org>.
On Mon, Mar 23, 2009 at 11:51 AM, <rp...@apache.org> wrote:
> Author: rpluem
> Date: Mon Mar 23 10:51:00 2009
> New Revision: 757373
>
> URL: http://svn.apache.org/viewvc?rev=757373&view=rev
> Log:
> * If the SNI extension supplied a hostname. So don't accept requests with
> either no hostname or a different hostname.
>
> Modified:
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757373&r1=757372&r2=757373&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 10:51:00 2009
> @@ -160,11 +160,31 @@
> return DECLINED;
> }
> #ifndef OPENSSL_NO_TLSEXT
> - if (!r->hostname &&
> - (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
> - /* Use the SNI extension as the hostname if no Host: header was sent */
> - r->hostname = apr_pstrdup(r->pool, servername);
> - ap_update_vhost_from_headers(r);
> + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
> + char *host, *scope_id;
> + apr_port_t port;
> + apr_status_t rv;
> +
> + /*
> + * The SNI extension supplied a hostname. So don't accept requests
> + * with either no hostname or a different hostname.
> + */
> + if (!r->hostname) {
> + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
> + "Hostname %s provided via SNI, but no hostname"
> + " provided in HTTP request", servername);
> + return HTTP_BAD_REQUEST;
> + }
> + rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
> + if (rv != APR_SUCCESS || scope_id) {
> + return HTTP_BAD_REQUEST;
> + }
> + if (strcmp(host, servername)) {
> + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
> + "Hostname %s provided via SNI and hostname %s provided"
> + " via HTTP are different", servername, host);
> + return HTTP_BAD_REQUEST;
> + }
shouldn't this be ap_strcasecmp_match instead of strcmp?
Thanks,
Paul