httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: 2.2.12 ?
Date Sat, 02 May 2009 07:37:53 GMT


On 05/02/2009 12:21 AM, William A. Rowe, Jr. wrote:
> Ruediger Pluem wrote:
>> On 05/01/2009 07:11 AM, Kaspar Brand wrote:
>>> Ruediger Pluem wrote:
>>>> I hope to get the SNI patches summarized in a backportable
>>>> way by then to have them included in 2.2.12.
>>> Didn't want to rush things, but since there were no objections to the
>>> recent trunk commits so far - here's an updated backport for 2.2
>>> (including your improvements from March/April, see revision list at the
>>> top of the file):
>>>
>>> http://sni.velox.ch/httpd-2.2.x-sni.20090426.diff
>> Thanks for this. Especially the list of revision numbers will be
>> very helpful for the further process.
> 
> I have only one small concern about adopting this.  Consider the diversity
> of installations which users install httpd onto.
> 
> --- httpd-2.2.x/modules/ssl/mod_ssl.c	(revision 768694)
> +++ httpd-2.2.x/modules/ssl/mod_ssl.c	(working copy)
> @@ -145,6 +145,10 @@ static const command_rec ssl_config_cmds[] = {
>                  "Use the server's cipher ordering preference")
>      SSL_CMD_ALL(UserName, TAKE1,
>                  "Set user name to SSL variable value")
> +#ifndef OPENSSL_NO_TLSEXT
> +    SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
> +                "Strict SNI virtual host checking")
> +#endif
> 
> This provides no clue why the directive fails.  I'm not fond of conditional
> compilation of directives.
> 
> If we can ensure the StrictSNIVHostCheck always exists, but exits when it
> is not supported with;
> 
> #ifndef OPENSSL_NO_TLSEXT
>     return "StrictSNIVHostCheck failed; OpenSSL is not built with support "
>            "for TLS extensions and SNI indication.  Refer to the "
>            "documentation, and build a compatible version of openssl";
> #else
> ... usual stuff
> #endif
> 
> Does this make better sense to avoid user complaints?

Apart for the fact that you need to swap both blocks above, yes this makes sense :-).
I try to adjust it if no one beats me to it.

Regards

RĂ¼diger


Mime
View raw message