You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by kb...@apache.org on 2011/09/25 17:55:13 UTC
svn commit: r1175416 - in /httpd/httpd/trunk: CHANGES
modules/ssl/ssl_engine_io.c
Author: kbrand
Date: Sun Sep 25 15:55:13 2011
New Revision: 1175416
URL: http://svn.apache.org/viewvc?rev=1175416&view=rev
Log:
enable the SNI extension for proxy connections
to TLS backends (but avoid for pure SSLv2/SSLv3)
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1175416&r1=1175415&r2=1175416&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Sep 25 15:55:13 2011
@@ -12,6 +12,9 @@ Changes with Apache 2.3.15
PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
<lowprio20 gmail.com>]
+ *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
+ [Kaspar Brand]
+
*) Add wrappers for malloc, calloc, realloc that check for out of memory
situations and use them in many places. PR 51568, PR 51569, PR 51571.
[Stefan Fritsch]
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1175416&r1=1175415&r2=1175416&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Sun Sep 25 15:55:13 2011
@@ -1040,9 +1040,39 @@ static apr_status_t ssl_io_filter_handsh
server = sslconn->server;
if (sslconn->is_proxy) {
- const char *hostname_note;
-
+#ifndef OPENSSL_NO_TLSEXT
+ apr_ipsubnet_t *ip;
+#endif
+ const char *hostname_note = apr_table_get(c->notes,
+ "proxy-request-hostname");
sc = mySrvConfig(server);
+
+#ifndef OPENSSL_NO_TLSEXT
+ /*
+ * Enable SNI for backend requests. Make sure we don't do it for
+ * pure SSLv2 or SSLv3 connections, and also prevent IP addresses
+ * from being included in the SNI extension. (OpenSSL would simply
+ * pass them on, but RFC 6066 is quite clear on this: "Literal
+ * IPv4 and IPv6 addresses are not permitted".)
+ */
+ if (hostname_note &&
+ sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
+ sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
+ apr_ipsubnet_create(&ip, hostname_note, NULL,
+ c->pool) != APR_SUCCESS) {
+ if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
+ "SNI extension for SSL Proxy request set to '%s'",
+ hostname_note);
+ } else {
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c,
+ "Failed to set SNI extension for SSL Proxy "
+ "request to '%s'", hostname_note);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
+ }
+ }
+#endif
+
if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL Proxy connect failed");
@@ -1072,9 +1102,8 @@ static apr_status_t ssl_io_filter_handsh
}
X509_free(cert);
}
- if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE)
- && ((hostname_note =
- apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) {
+ if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
+ hostname_note) {
const char *hostname;
hostname = ssl_var_lookup(NULL, server, c, NULL,