You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by rp...@apache.org on 2009/03/23 11:51:02 UTC

svn commit: r757373 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Author: rpluem
Date: Mon Mar 23 10:51:00 2009
New Revision: 757373

URL: http://svn.apache.org/viewvc?rev=757373&view=rev
Log:
* If the SNI extension supplied a hostname. So don't accept requests with
  either no hostname or a different hostname.

Modified:
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757373&r1=757372&r2=757373&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 10:51:00 2009
@@ -160,11 +160,31 @@
         return DECLINED;
     }
 #ifndef OPENSSL_NO_TLSEXT
-    if (!r->hostname &&
-        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
-        /* Use the SNI extension as the hostname if no Host: header was sent */
-        r->hostname = apr_pstrdup(r->pool, servername);
-        ap_update_vhost_from_headers(r);
+    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+        char *host, *scope_id;
+        apr_port_t port;
+        apr_status_t rv;
+
+        /*
+         * The SNI extension supplied a hostname. So don't accept requests
+         * with either no hostname or a different hostname.
+         */
+        if (!r->hostname) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                        "Hostname %s provided via SNI, but no hostname"
+                        " provided in HTTP request", servername);
+            return HTTP_BAD_REQUEST;
+        }
+        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
+        if (rv != APR_SUCCESS || scope_id) {
+            return HTTP_BAD_REQUEST;
+        }
+        if (strcmp(host, servername)) {
+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                        "Hostname %s provided via SNI and hostname %s provided"
+                        " via HTTP are different", servername, host);
+            return HTTP_BAD_REQUEST;
+        }
     }
 #endif
     SSL_set_app_data2(ssl, r);

Re: svn commit: r757373 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Posted by Paul Querna <pa...@querna.org>.

On Mon, Mar 23, 2009 at 11:56 AM, Paul Querna <pa...@querna.org> wrote:
> On Mon, Mar 23, 2009 at 11:51 AM,  <rp...@apache.org> wrote:
>> Author: rpluem
>> Date: Mon Mar 23 10:51:00 2009
>> New Revision: 757373
>>
>> URL: http://svn.apache.org/viewvc?rev=757373&view=rev
>> Log:
>> * If the SNI extension supplied a hostname. So don't accept requests with
>>  either no hostname or a different hostname.
>>
>> Modified:
>>    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757373&r1=757372&r2=757373&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 10:51:00 2009
>> @@ -160,11 +160,31 @@
>>         return DECLINED;
>>     }
>>  #ifndef OPENSSL_NO_TLSEXT
>> -    if (!r->hostname &&
>> -        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
>> -        /* Use the SNI extension as the hostname if no Host: header was sent */
>> -        r->hostname = apr_pstrdup(r->pool, servername);
>> -        ap_update_vhost_from_headers(r);
>> +    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
>> +        char *host, *scope_id;
>> +        apr_port_t port;
>> +        apr_status_t rv;
>> +
>> +        /*
>> +         * The SNI extension supplied a hostname. So don't accept requests
>> +         * with either no hostname or a different hostname.
>> +         */
>> +        if (!r->hostname) {
>> +            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
>> +                        "Hostname %s provided via SNI, but no hostname"
>> +                        " provided in HTTP request", servername);
>> +            return HTTP_BAD_REQUEST;
>> +        }
>> +        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
>> +        if (rv != APR_SUCCESS || scope_id) {
>> +            return HTTP_BAD_REQUEST;
>> +        }
>> +        if (strcmp(host, servername)) {
>> +            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
>> +                        "Hostname %s provided via SNI and hostname %s provided"
>> +                        " via HTTP are different", servername, host);
>> +            return HTTP_BAD_REQUEST;
>> +        }
>
> shouldn't this be ap_strcasecmp_match instead of strcmp?

sorry, host and servername are both full names, not wildcards, so this
is fine....

Re: svn commit: r757373 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Posted by Paul Querna <pa...@querna.org>.

On Mon, Mar 23, 2009 at 11:51 AM,  <rp...@apache.org> wrote:
> Author: rpluem
> Date: Mon Mar 23 10:51:00 2009
> New Revision: 757373
>
> URL: http://svn.apache.org/viewvc?rev=757373&view=rev
> Log:
> * If the SNI extension supplied a hostname. So don't accept requests with
>  either no hostname or a different hostname.
>
> Modified:
>    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757373&r1=757372&r2=757373&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 10:51:00 2009
> @@ -160,11 +160,31 @@
>         return DECLINED;
>     }
>  #ifndef OPENSSL_NO_TLSEXT
> -    if (!r->hostname &&
> -        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
> -        /* Use the SNI extension as the hostname if no Host: header was sent */
> -        r->hostname = apr_pstrdup(r->pool, servername);
> -        ap_update_vhost_from_headers(r);
> +    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
> +        char *host, *scope_id;
> +        apr_port_t port;
> +        apr_status_t rv;
> +
> +        /*
> +         * The SNI extension supplied a hostname. So don't accept requests
> +         * with either no hostname or a different hostname.
> +         */
> +        if (!r->hostname) {
> +            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
> +                        "Hostname %s provided via SNI, but no hostname"
> +                        " provided in HTTP request", servername);
> +            return HTTP_BAD_REQUEST;
> +        }
> +        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
> +        if (rv != APR_SUCCESS || scope_id) {
> +            return HTTP_BAD_REQUEST;
> +        }
> +        if (strcmp(host, servername)) {
> +            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
> +                        "Hostname %s provided via SNI and hostname %s provided"
> +                        " via HTTP are different", servername, host);
> +            return HTTP_BAD_REQUEST;
> +        }

shouldn't this be ap_strcasecmp_match instead of strcmp?

Thanks,
Paul