httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: svn commit: r1497466 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/ssl/ssl_engine_io.c
Date Wed, 03 Jul 2013 20:36:12 GMT
On 03.07.2013 19:04, Eric Covener wrote:
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1497466&r1=1497465&r2=1497466&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
>> +++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Thu Jun 27 17:24:58 2013
>> @@ -1063,9 +1063,39 @@ static int ssl_io_filter_connect(ssl_fil
>>
>>      server = sslconn->server;
>>      if (sslconn->is_proxy) {
>> -        const char *hostname_note;
>> -
>> +#ifndef OPENSSL_NO_TLSEXT
>> +        apr_ipsubnet_t *ip;
>> +#endif
>> +        const char *hostname_note = apr_table_get(c->notes,
>> +                                                  "proxy-request-hostname");
>>          sc = mySrvConfig(server);
>> +
>> +#ifndef OPENSSL_NO_TLSEXT
>> +        /*
>> +         * Enable SNI for backend requests. Make sure we don't do it for
>> +         * pure SSLv2 or SSLv3 connections, and also prevent IP addresses
>> +         * from being included in the SNI extension. (OpenSSL would simply
>> +         * pass them on, but RFC 6066 is quite clear on this: "Literal
>> +         * IPv4 and IPv6 addresses are not permitted".)
>> +         */
>> +        if (hostname_note &&
>> +            sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
> 
> 
> A user on IRC reported that the SSL_PROTOCOL_SSLV2 here caused a build
> break on his debian system. Does it need to be wrapped in a
> OPENSSL_NO_SSL2 macro?

Oups, yes.

Proposed
http://people.apache.org/~rjung/patches/sni-backend-fix-r1497466-2_2.patch
in STATUS right now. Doesn't apply to trunk and 2.4 due to removed SSLv2
support there.

Regards,

Rainer


Mime
View raw message