httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Re: Re: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Thu, 20 Feb 2014 14:00:05 GMT
mod_ssl won't fill in the SNI if it's an IP address, the check is not
in mod_proxy_http but in ssl_io_filter_connect() :
        if (hostname_note &&
            sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
            sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
            apr_ipsubnet_create(&ip, hostname_note, NULL,
                                c->pool) != APR_SUCCESS) {
            ...set SNI to SSL...
        }

apr_ipsubnet_create() returns SUCCESS in the IP address case.

The problem is probably elsewhere.


On Thu, Feb 20, 2014 at 2:39 PM, Pavel Matěja <pavel@netsafe.cz> wrote:
> Dne Čt 20. února 2014 08:13:13, Eric Covener napsal(a):
>
>> On Thu, Feb 20, 2014 at 7:47 AM, Pavel Matěja <pavel@netsafe.cz> wrote:
>
>> > Dne St 19. února 2014 21:09:10, William A. Rowe Jr. napsal(a):
>
>> >> I believe that Kaspar and Ruediger are still entirely at odds with my
>
>> >> position, but this 'enhancement' should never have been unilaterally
>
>> >> applied as it was to 2.2.26 and must be reverted (even as the feature
>
>> >> is 'fixed' with corrections they have blessed), e.g. the comparison
>
>> >> must be constrained to apply only to SSLStrictSNIVHostCheck enforcing
>
>> >> hosts under 2.2 to not break existing configurations.
>
>> >>
>
>> >> It similarly aught to be constrained to SSLStrictSNIVHostCheck on the
>
>> >> 2.4 branch, but I'm just not going to participate in that debate at
>
>> >> all, which is why I say 'aught to'. Time for a few more committers to
>
>> >> review the relevant specs and chime in with opinions on productive vs.
>
>> >> disruptive rules that are out-of-spec.
>
>> >
>
>> > Last note:
>
>> > when I go to the reverse proxy without hostname I can't get website at
>
>> > all.
>
>> > wget --no-check-certificate https://a.b.c.d will always return HTTP
>> > Error
>
>> > 500: AH01084: pass request body failed to..
>
>> > AH00898: Error during SSL Handshake with remote server returned by /
>
>> > AH01097: pass request body failed to..
>
>> >
>
>> > Any idea how to rework configuration without the downgrade to SSLv3?
>
>>
>
>> Please post the full details in a bug report.
>
>
>
> It's qute simple.
>
> In pre-SNI days hostname didn't matter.
>
> Now you can't reach backend SSL server thru reverse proxy without correct
> one when you have ProxyPreserveHost On.
>
> Apache will take IP of proxy and will try to pass it to backend server in
> SNI.
>
> Which has to fail obviously.
>
> I guess apache reverse proxy should not fill numeric ip address into SNI
> request at all.
>
> Just what Kaspar Brand mentioned above: Pure host names (FQDN!) only: RFC
> 6066, section 3.
>
>
>
> Something like
>
> modules/proxy/mod_proxy_http.c:1968
>
> -if ((dconf->preserve_host != 0) && (r->hostname != NULL)) {
>
> +if ((dconf->preserve_host != 0) && (r->hostname != NULL) &&
> (is_fqdn(r->hostname))) {
>
>
>
> I'm not sure if there is such function or how is called.
>
> --
>
> Pavel Matěja
>
>

Mime
View raw message