httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: svn commit: r1500108 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS modules/ssl/ssl_engine_io.c
Date Wed, 10 Jul 2013 05:41:35 GMT
On 05.07.2013 21:25, rjung@apache.org wrote:
> Author: rjung
> Date: Fri Jul  5 19:25:28 2013
> New Revision: 1500108
> 
> URL: http://svn.apache.org/r1500108
> Log:
> mod_ssl: Fix "SNI for backend" when compiled against
> OpenSSL without support for SSLv2.
> 
> PR 55194.
> 
> Followup to r1497466. Does not apply to trunk or 2.4.x.

I missed the review of r1497466 (i.e. the backport of r1175416) in time,
sorry... however, note that for 2.2.26, in the following code:


> Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1500108&r1=1500107&r2=1500108&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
> +++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Fri Jul  5 19:25:28 2013
> @@ -1079,7 +1079,9 @@ static int ssl_io_filter_connect(ssl_fil
>           * IPv4 and IPv6 addresses are not permitted".)
>           */
>          if (hostname_note &&
> +#ifndef OPENSSL_NO_SSL2
>              sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
> +#endif
>              sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
>              apr_ipsubnet_create(&ip, hostname_note, NULL,
>                                  c->pool) != APR_SUCCESS) {
> 
> 

it might make more sense to completely drop the #ifndef block, since
OpenSSL itself will never add TLS extensions for SSLv2
connections (that's the reason why even in trunk/2.4 we only check for
SSL_PROTOCOL_SSLV3).

Furthermore, with OpenSSL 1.0.0 and later, or 0.9.8m or later, the
glitch of including an SNI extension in an SSLv3 ClientHello has been
fixed in OpenSSL itself, so it's even debatable if we still need to
guard against this (0.9.8m and 1.0.0 were released in February/March
2010). See

http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1629

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=18f8258a87bd3b4099f5ab6f788c7bc2bfa00f9c

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5d577d7eb0f6cd2432b60e6abececc6f7c9bbb79

Kaspar

Mime
View raw message