Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 31695 invoked from network); 4 May 2009 19:23:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 4 May 2009 19:23:28 -0000 Received: (qmail 42879 invoked by uid 500); 4 May 2009 19:23:27 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 42808 invoked by uid 500); 4 May 2009 19:23:27 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 42799 invoked by uid 99); 4 May 2009 19:23:27 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 May 2009 19:23:27 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 04 May 2009 19:23:25 +0000 Received: (qmail 31618 invoked by uid 2161); 4 May 2009 19:23:03 -0000 Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4]) by cerberus.heimnetz.de (Postfix on SuSE Linux 7.0 (i386)) with ESMTP id 93FBD1721C for ; Mon, 4 May 2009 21:22:48 +0200 (CEST) Message-ID: <49FF408B.7090804@apache.org> Date: Mon, 04 May 2009 21:22:51 +0200 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: svn commit: r768504 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS docs/manual/mod/mod_ssl.xml modules/proxy/mod_proxy_http.c modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_private.h References: <20090425095028.D52D023888A4@eris.apache.org> In-Reply-To: <20090425095028.D52D023888A4@eris.apache.org> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org On 04/25/2009 11:50 AM, rpluem@apache.org wrote: > Author: rpluem > Date: Sat Apr 25 09:50:27 2009 > New Revision: 768504 > > URL: http://svn.apache.org/viewvc?rev=768504&view=rev > Log: > Backport of r760866: > > * Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable > stricter checking of remote server certificates. > > (docs/manual/mod/mod_ssl.xml) > Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. > > (modules/proxy/mod_proxy_http.c) > Set the hostname of the request URL as note on the connection. > > (modules/ssl/ssl_private.h) > Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to > the SSLSrvConfigRec. > > (modules/ssl/ssl_engine_config.c) > Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. > > (modules/ssl/ssl_engine_io.c) > Check whether the remote servers certificate is expired / if there is a > mismatch between the requested hostanme and the remote server certificates > CN field. > Be able to parse ASN1 times. > > (modules/ssl/mod_ssl.c) > Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. > > Submitted by: rpluem > Reviewed by: rpluem, jim, jfclere > > Modified: > httpd/httpd/branches/2.2.x/CHANGES > httpd/httpd/branches/2.2.x/STATUS > httpd/httpd/branches/2.2.x/docs/manual/mod/mod_ssl.xml > httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c > httpd/httpd/branches/2.2.x/modules/ssl/mod_ssl.c > httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_config.c > httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c > httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h > During my work on the SNI backport I noticed that during my preparation of the backport patch for this proposal one import line fell through the cracks that was contained in r760866. The following patch would fix this missing initialization: Index: modules/ssl/ssl_engine_io.c =================================================================== --- modules/ssl/ssl_engine_io.c (revision 771213) +++ modules/ssl/ssl_engine_io.c (working copy) @@ -1060,6 +1060,7 @@ if (sslconn->is_proxy) { const char *hostname_note; + sc = mySrvConfig(sslconn->server); if ((n = SSL_connect(filter_ctx->pssl)) <= 0) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL Proxy connect failed"); Can I just correct this error and fix it in 2.2.x? Regards RĂ¼diger