You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/01/16 08:16:28 UTC

[Bug 62003] New: [req] Add client IP to "Hostname %s provided via SNI..." messages

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

            Bug ID: 62003
           Summary: [req] Add client IP to "Hostname %s provided via
                    SNI..." messages
           Product: Apache httpd-2
           Version: 2.4.29
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: ben.rubson@gmail.com
  Target Milestone: ---

Hello,

Apache logs when Hostname provided via SNI & HTTP are not the same :

Hostname %s provided via SNI, but no hostname provided in HTTP request
Hostname %s provided via SNI and hostname %s provided via HTTP are different
Hostname %s provided via SNI and hostname %s provided via HTTP have no
compatible SSL setup

Unfortunately, client IP is not given into these messages.
It would be good to have it so that we could ban if we detect these entries as
attack attempts.
(https://github.com/fail2ban/fail2ban/issues/2017)

Could you then add client IP to these messages please ?
And then backport this tiny change to Apache 2.4.X ?

Thank you very much !

Best regards,

Ben

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..." messages

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

--- Comment #3 from Christophe JAILLET <ch...@wanadoo.fr> ---
The culprit is ap_log_error vs ap_log_rerror.
                                      ^
The 4th argument should be updated accordingly.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..." messages

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

Christophe JAILLET <ch...@wanadoo.fr> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #9 from Christophe JAILLET <ch...@wanadoo.fr> ---
This has been merged in 2.4.x in r1828745.
This is part of 2.4.34

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..." messages

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

--- Comment #7 from Ben RUBSON <be...@gmail.com> ---
Thank you Christophe !
Let me test this and come back to you ASAP with the result.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..." messages

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

--- Comment #4 from Ben RUBSON <be...@gmail.com> ---
Good catch !
Perhaps then we could move to ap_log_rerror() so that client IP is logged ?
Or perhaps you think about a better solution ?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..." messages

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

--- Comment #5 from Christophe JAILLET <ch...@wanadoo.fr> ---
Can you test with r1827865? (based on trunk, but should be easy to replicate in
any other version of the server)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..." messages

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

--- Comment #8 from Ben RUBSON <be...@gmail.com> ---
Christophe, just tested, it works !

Here is an example line in my error log :
[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client X.X.X.X:58028]
AH02032: Hostname www.testdom.com provided via SNI and hostname dummy.com
provided via HTTP have no compatible SSL setup

Perfect !

Could we then think about a backport to 2.4.x ?

Thank you again !

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..." messages

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

--- Comment #6 from Christophe JAILLET <ch...@wanadoo.fr> ---
r1827865

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..." messages

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

--- Comment #1 from Christophe JAILLET <ch...@wanadoo.fr> ---
Shouldn't a custom LogFormat
(https://httpd.apache.org/docs/2.4/en/mod/mod_log_config.html#formats) be
enough?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..." messages

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=62003

--- Comment #2 from Ben RUBSON <be...@gmail.com> ---
I don't think so, as all other error messages correctly show-up with the client
IP.

For example this one is OK :
https://github.com/apache/httpd/blob/2.4.33/modules/aaa/mod_authz_core.c#L870

But this one, as stated above, does not show the client IP :
https://github.com/apache/httpd/blob/2.4.33/modules/ssl/ssl_engine_kernel.c#L324

Perhaps the 4th parameter given to ap_log_error() is the culprit ?
(ap_log_error() must certainly extract client IP from it ?)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org