httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kbr...@apache.org
Subject svn commit: r1501712 - in /httpd/httpd/branches/2.2.x: CHANGES modules/ssl/ssl_engine_io.c
Date Wed, 10 Jul 2013 10:32:28 GMT
Author: kbrand
Date: Wed Jul 10 10:32:28 2013
New Revision: 1501712

URL: http://svn.apache.org/r1501712
Log:
Updated fix for issue which was initially addressed in r1500108:

mod_ssl: Fix "SNI for backend" when compiled against
OpenSSL without support for SSLv2.

PR 55194.

Followup to r1497466. Does not apply to trunk or 2.4.x.

Proposed by: kbrand
Reviewed by: wrowe, rpluem

Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1501712&r1=1501711&r2=1501712&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jul 10 10:32:28 2013
@@ -1,7 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.26
 
-
+  *) mod_ssl: Fix compilation error when OpenSSL does not contain
+     support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
+     [Rainer Jung, Kaspar Brand]
 
 Changes with Apache 2.2.25
 

Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1501712&r1=1501711&r2=1501712&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Wed Jul 10 10:32:28 2013
@@ -1073,13 +1073,16 @@ static int ssl_io_filter_connect(ssl_fil
 #ifndef OPENSSL_NO_TLSEXT
         /*
          * Enable SNI for backend requests. Make sure we don't do it for
-         * pure SSLv2 or SSLv3 connections, and also prevent IP addresses
+         * pure SSLv3 connections, and also prevent IP addresses
          * from being included in the SNI extension. (OpenSSL would simply
          * pass them on, but RFC 6066 is quite clear on this: "Literal
          * IPv4 and IPv6 addresses are not permitted".)
+         * We can omit the check for SSL_PROTOCOL_SSLV2 as there is
+         * no way for OpenSSL to screw up things in this case (it's
+         * impossible to include extensions in a pure SSLv2 ClientHello,
+         * protocol-wise).
          */
         if (hostname_note &&
-            sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
             sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
             apr_ipsubnet_create(&ip, hostname_note, NULL,
                                 c->pool) != APR_SUCCESS) {



Mime
View raw message