You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/01/16 08:16:28 UTC
[Bug 62003] New: [req] Add client IP to "Hostname %s provided via
SNI..." messages
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
Bug ID: 62003
Summary: [req] Add client IP to "Hostname %s provided via
SNI..." messages
Product: Apache httpd-2
Version: 2.4.29
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: ben.rubson@gmail.com
Target Milestone: ---
Hello,
Apache logs when Hostname provided via SNI & HTTP are not the same :
Hostname %s provided via SNI, but no hostname provided in HTTP request
Hostname %s provided via SNI and hostname %s provided via HTTP are different
Hostname %s provided via SNI and hostname %s provided via HTTP have no
compatible SSL setup
Unfortunately, client IP is not given into these messages.
It would be good to have it so that we could ban if we detect these entries as
attack attempts.
(https://github.com/fail2ban/fail2ban/issues/2017)
Could you then add client IP to these messages please ?
And then backport this tiny change to Apache 2.4.X ?
Thank you very much !
Best regards,
Ben
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..."
messages
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
--- Comment #3 from Christophe JAILLET <ch...@wanadoo.fr> ---
The culprit is ap_log_error vs ap_log_rerror.
^
The 4th argument should be updated accordingly.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..."
messages
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #9 from Christophe JAILLET <ch...@wanadoo.fr> ---
This has been merged in 2.4.x in r1828745.
This is part of 2.4.34
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..."
messages
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
--- Comment #7 from Ben RUBSON <be...@gmail.com> ---
Thank you Christophe !
Let me test this and come back to you ASAP with the result.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..."
messages
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
--- Comment #4 from Ben RUBSON <be...@gmail.com> ---
Good catch !
Perhaps then we could move to ap_log_rerror() so that client IP is logged ?
Or perhaps you think about a better solution ?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..."
messages
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
--- Comment #5 from Christophe JAILLET <ch...@wanadoo.fr> ---
Can you test with r1827865? (based on trunk, but should be easy to replicate in
any other version of the server)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..."
messages
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
--- Comment #8 from Ben RUBSON <be...@gmail.com> ---
Christophe, just tested, it works !
Here is an example line in my error log :
[Wed Mar 28 01:31:42.355210 2018] [ssl:error] [pid 6586] [client X.X.X.X:58028]
AH02032: Hostname www.testdom.com provided via SNI and hostname dummy.com
provided via HTTP have no compatible SSL setup
Perfect !
Could we then think about a backport to 2.4.x ?
Thank you again !
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..."
messages
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
--- Comment #6 from Christophe JAILLET <ch...@wanadoo.fr> ---
r1827865
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..."
messages
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
--- Comment #1 from Christophe JAILLET <ch...@wanadoo.fr> ---
Shouldn't a custom LogFormat
(https://httpd.apache.org/docs/2.4/en/mod/mod_log_config.html#formats) be
enough?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 62003] [req] Add client IP to "Hostname %s provided via SNI..."
messages
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62003
--- Comment #2 from Ben RUBSON <be...@gmail.com> ---
I don't think so, as all other error messages correctly show-up with the client
IP.
For example this one is OK :
https://github.com/apache/httpd/blob/2.4.33/modules/aaa/mod_authz_core.c#L870
But this one, as stated above, does not show the client IP :
https://github.com/apache/httpd/blob/2.4.33/modules/ssl/ssl_engine_kernel.c#L324
Perhaps the 4th parameter given to ap_log_error() is the culprit ?
(ap_log_error() must certainly extract client IP from it ?)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org