httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: svn commit: r768504 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h
Date Mon, 04 May 2009 19:22:51 GMT


On 04/25/2009 11:50 AM, rpluem@apache.org wrote:
> Author: rpluem
> Date: Sat Apr 25 09:50:27 2009
> New Revision: 768504
> 
> URL: http://svn.apache.org/viewvc?rev=768504&view=rev
> Log:
> Backport of r760866:
> 
> * Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable
>   stricter checking of remote server certificates.
> 
>   (docs/manual/mod/mod_ssl.xml)
>     Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
> 
>   (modules/proxy/mod_proxy_http.c)
>     Set the hostname of the request URL as note on the connection.
> 
>   (modules/ssl/ssl_private.h)
>     Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to
>     the SSLSrvConfigRec.
> 
>   (modules/ssl/ssl_engine_config.c)
>     Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
> 
>   (modules/ssl/ssl_engine_io.c)
>     Check whether the remote servers certificate is expired / if there is a
>     mismatch between the requested hostanme and the remote server certificates
>     CN field.
>     Be able to parse ASN1 times.
> 
>   (modules/ssl/mod_ssl.c)
>     Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN.
> 
> Submitted by: rpluem
> Reviewed by: rpluem, jim, jfclere
> 
> Modified:
>     httpd/httpd/branches/2.2.x/CHANGES
>     httpd/httpd/branches/2.2.x/STATUS
>     httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml
>     httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c
>     httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c
>     httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c
>     httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
>     httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h
> 

During my work on the SNI backport I noticed that during my preparation of
the backport patch for this proposal one import line fell through the cracks
that was contained in r760866.

The following patch would fix this missing initialization:

Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c (revision 771213)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -1060,6 +1060,7 @@
     if (sslconn->is_proxy) {
         const char *hostname_note;

+        sc = mySrvConfig(sslconn->server);
         if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
             ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
                           "SSL Proxy connect failed");



Can I just correct this error and fix it in 2.2.x?


Regards

RĂ¼diger

Mime
View raw message