Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BE20310C97 for ; Mon, 23 Dec 2013 20:48:21 +0000 (UTC) Received: (qmail 16504 invoked by uid 500); 23 Dec 2013 20:48:21 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 16439 invoked by uid 500); 23 Dec 2013 20:48:21 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 16428 invoked by uid 99); 23 Dec 2013 20:48:21 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Dec 2013 20:48:21 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Dec 2013 20:48:19 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id D844F2388868; Mon, 23 Dec 2013 20:47:59 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1553204 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Date: Mon, 23 Dec 2013 20:47:59 -0000 To: cvs@httpd.apache.org From: rpluem@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20131223204759.D844F2388868@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: rpluem Date: Mon Dec 23 20:47:59 2013 New Revision: 1553204 URL: http://svn.apache.org/r1553204 Log: * Do not perform SNI / Host header comparison in case of a forward proxy request as in case of a forward proxy request the host header can not be used for virtual host selection in our webserver. Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1553204&r1=1553203&r2=1553204&view=diff ============================================================================== --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original) +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Dec 23 20:47:59 2013 @@ -164,47 +164,55 @@ int ssl_hook_ReadReq(request_rec *r) return DECLINED; } #ifdef HAVE_TLSEXT - if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { - char *host, *scope_id; - apr_port_t port; - apr_status_t rv; - - /* - * The SNI extension supplied a hostname. So don't accept requests - * with either no hostname or a different hostname. - */ - if (!r->hostname) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02031) - "Hostname %s provided via SNI, but no hostname" - " provided in HTTP request", servername); - return HTTP_BAD_REQUEST; - } - rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); - if (rv != APR_SUCCESS || scope_id) { - return HTTP_BAD_REQUEST; - } - if (strcasecmp(host, servername)) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032) - "Hostname %s provided via SNI and hostname %s provided" - " via HTTP are different", servername, host); - return HTTP_BAD_REQUEST; - } - } - else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE) - || (mySrvConfig(sslconn->server))->strict_sni_vhost_check - == SSL_ENABLED_TRUE) - && r->connection->vhost_lookup_data) { - /* - * We are using a name based configuration here, but no hostname was - * provided via SNI. Don't allow that if are requested to do strict - * checking. Check wether this strict checking was setup either in the - * server config we used for handshaking or in our current server. - * This should avoid insecure configuration by accident. - */ - ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02033) - "No hostname was provided via SNI for a name based" - " virtual host"); - return HTTP_FORBIDDEN; + if (r->proxyreq != PROXYREQ_PROXY) { + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { + char *host, *scope_id; + apr_port_t port; + apr_status_t rv; + + /* + * The SNI extension supplied a hostname. So don't accept requests + * with either no hostname or a different hostname as this could + * cause us to end up in a different virtual host as the one that + * was used for the handshake causing different SSL parameters to + * be applied. + * XXX: TODO check if this is really true and that there are + * SSL parameters that are not fixed by a renegotiation in + * ssl_hook_Access. + */ + if (!r->hostname) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02031) + "Hostname %s provided via SNI, but no hostname" + " provided in HTTP request", servername); + return HTTP_BAD_REQUEST; + } + rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); + if (rv != APR_SUCCESS || scope_id) { + return HTTP_BAD_REQUEST; + } + if (strcasecmp(host, servername)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032) + "Hostname %s provided via SNI and hostname %s provided" + " via HTTP are different", servername, host); + return HTTP_BAD_REQUEST; + } + } + else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE) + || (mySrvConfig(sslconn->server))->strict_sni_vhost_check + == SSL_ENABLED_TRUE) + && r->connection->vhost_lookup_data) { + /* + * We are using a name based configuration here, but no hostname was + * provided via SNI. Don't allow that if are requested to do strict + * checking. Check wether this strict checking was setup either in the + * server config we used for handshaking or in our current server. + * This should avoid insecure configuration by accident. + */ + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02033) + "No hostname was provided via SNI for a name based" + " virtual host"); + return HTTP_FORBIDDEN; + } } #endif SSL_set_app_data2(ssl, r);