httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: svn commit: r1500108 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/ssl/ssl_engine_io.c
Date Wed, 10 Jul 2013 08:32:06 GMT
If you frame this as a fast vote for adoption, and correct the text
in https://dist.apache.org/repos/dist/release/httpd/Announcement2.2.txt
as well as the .html version, I'll post that in my morning (which is
still stuck on PDT from my travels).

Otherwise, I'll post the existing text, which seems to solve the issue,
even if it is overkill.

+1 for such a change, please do a revert and apply the correct patch
in order for users to see a single patch which solves the 2.2.25 .tar
image, thanks.

Bill


On Wed, 10 Jul 2013 08:04:44 +0200
Kaspar Brand <httpd-dev.2013@velox.ch> wrote:

> On 10.07.2013 07:53, William A. Rowe Jr. wrote:
> > Color me confused.  Where SSLv2 alone is dropped from the stock
> > OpenSSL build, 2.2.25 would not compile.  The
> > www.a.o/dist/httpd/Announcement file calls out this patch as a
> > workaround, which I will publish once I have sorted why the binary
> > win32 dbd drivers don't correspond to the prior release.
> > 
> > Could you rephrase what you are getting at so we can correct the ANN
> > message? http://www.apache.org/dist/httpd/Announcement2.2.txt para
> > 5.
> 
> Apologies for having been confusing... let code speak, that should
> hopefully make things clear. Here's what I would suggest for
> ssl_engine_io.c in 2.2.26:
> 
> --- snip ---
> 
> #ifndef OPENSSL_NO_TLSEXT
>         /*
>          * Enable SNI for backend requests. Make sure we don't do it
> for
>          * pure SSLv3 connections, and also prevent IP addresses
>          * from being included in the SNI extension. (OpenSSL would
> simply
>          * pass them on, but RFC 6066 is quite clear on this: "Literal
>          * IPv4 and IPv6 addresses are not permitted".)
>          */
>         if (hostname_note &&
>             sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
>             apr_ipsubnet_create(&ip, hostname_note, NULL,
>                                 c->pool) != APR_SUCCESS) {
>             if (SSL_set_tlsext_host_name(filter_ctx->pssl,
> hostname_note)) { ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
>                               "SNI extension for SSL Proxy request
> set to '%s'", hostname_note);
>             } else {
>                 ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c,
>                               "Failed to set SNI extension for SSL
> Proxy " "request to '%s'", hostname_note);
>                 ssl_log_ssl_error(APLOG_MARK, APLOG_WARNING, server);
>             }
>         }
> #endif
> 
> --- snip ---
> 
> Kaspar


Mime
View raw message