httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1175416 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_io.c
Date Sun, 25 Sep 2011 15:55:13 GMT
Author: kbrand
Date: Sun Sep 25 15:55:13 2011
New Revision: 1175416

URL: http://svn.apache.org/viewvc?rev=1175416&view=rev
Log:
enable the SNI extension for proxy connections
to TLS backends (but avoid for pure SSLv2/SSLv3)

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/modules/ssl/ssl_engine_io.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1175416&r1=1175415&r2=1175416&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sun Sep 25 15:55:13 2011
@@ -12,6 +12,9 @@ Changes with Apache 2.3.15
      PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener,
      <lowprio20 gmail.com>]
 
+  *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
+     [Kaspar Brand]
+
   *) Add wrappers for malloc, calloc, realloc that check for out of memory
      situations and use them in many places. PR 51568, PR 51569, PR 51571.
      [Stefan Fritsch]

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=1175416&r1=1175415&r2=1175416&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Sun Sep 25 15:55:13 2011
@@ -1040,9 +1040,39 @@ static apr_status_t ssl_io_filter_handsh
 
     server = sslconn->server;
     if (sslconn->is_proxy) {
-        const char *hostname_note;
-
+#ifndef OPENSSL_NO_TLSEXT
+        apr_ipsubnet_t *ip;
+#endif
+        const char *hostname_note = apr_table_get(c->notes,
+                                                  "proxy-request-hostname");
         sc = mySrvConfig(server);
+
+#ifndef OPENSSL_NO_TLSEXT
+        /*
+         * Enable SNI for backend requests. Make sure we don't do it for
+         * pure SSLv2 or SSLv3 connections, and also prevent IP addresses
+         * from being included in the SNI extension. (OpenSSL would simply
+         * pass them on, but RFC 6066 is quite clear on this: "Literal
+         * IPv4 and IPv6 addresses are not permitted".)
+         */
+        if (hostname_note &&
+            sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
+            sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
+            apr_ipsubnet_create(&ip, hostname_note, NULL,
+                                c->pool) != APR_SUCCESS) {
+            if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
+                ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c,
+                              "SNI extension for SSL Proxy request set to '%s'",
+                              hostname_note);
+            } else {
+                ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c,
+                              "Failed to set SNI extension for SSL Proxy "
+                              "request to '%s'", hostname_note);
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
+            }
+	}
+#endif
+
         if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
             ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                           "SSL Proxy connect failed");
@@ -1072,9 +1102,8 @@ static apr_status_t ssl_io_filter_handsh
             }
             X509_free(cert);
         }
-        if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE)
-            && ((hostname_note =
-                 apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) {
+        if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
+            hostname_note) {
             const char *hostname;
 
             hostname = ssl_var_lookup(NULL, server, c, NULL,



Mime
View raw message