httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Date Wed, 08 Apr 2009 08:17:00 GMT
Plüm, Rüdiger, VF-Group wrote:
> I reviewed your patch and found some issues with it.

Thanks for your review and testing, Rüdiger. I assume you used and
adapted version of the sni_sslverifyclient-v5.diff patch, is that correct?

> (All cases below use Name based virtual hosting and a non SNI client):
> 1. Renegotiation due to more restrictive cipher requirements:
> Lets say the first virtual host allows cipher A and B.
> The handshake with the client decided to use A.
> The virtual host the client switches to later also allows A and B.
> But /restricted in this host only allows B.
> In this case a request to /restricted does not cause a renegotiation
> but it should.

Right. It also applies to SNI clients, actually, and the problem is that
the logic of this code (added in sni_sslverifyclient-v4.diff) is flawed:

  if ((dc->szCipherSuite &&
       !modssl_set_cipher_list(ssl, dc->szCipherSuite)) ||
      (sc->server->auth.cipher_suite &&
       !modssl_set_cipher_list(ssl, sc->server->auth.cipher_suite))) {

- it will override the per-dir setting for the cipher suite with that
from the vhost level, if the latter is also set. Changing these lines to

  if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
      !modssl_set_cipher_list(ssl, dc->szCipherSuite ?
                                   dc->szCipherSuite :
                                   sc->server->auth.cipher_suite)) {

resolves this issue for me.

> 2. The verification depth check causes unneeded renegotiations which
>    break the ssl v2 tests in the perl framework (No dicussion here please
>    whether we should still support SSL v2 :-))

This is an issue I already addressed in the patch for 2.2.x
(, but I guess you
were testing a trunk version without these changes, is that correct?

> There might be further issues but I currently have no time to check.
> I think we both agree that without this patch from you name based virtual
> hosting with SSL is definitely unsafe.
> I haven't analyzed any further if the above issues are fixable or not
> and I admit that I currently have no resources to do so.

I'm attaching a new patch (against r763127, i.e. current trunk), which
addresses both issues. Would very much appreciate if you could have a
look at it / give it a try, as it would definitely improve the situation
regarding SNI support in mod_ssl.


View raw message