httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [PATCH 57100] "SSLProtocol ALL" is ignored for virtual hosts
Date Thu, 22 Jan 2015 17:25:25 GMT
On Thu, Jan 22, 2015 at 4:45 PM, Eric Covener <covener@gmail.com> wrote:
> On Thu, Jan 22, 2015 at 8:27 AM, Michael Kaufmann
> <mail@michael-kaufmann.ch> wrote:
>> Hi,
>>
>> It would be great if somebody finds time to review the proposed patch for
>> bug 57100 (and maybe commit it to trunk). Any feedback would be greatly
>> appreciated.
>>
>> -> https://issues.apache.org/bugzilla/show_bug.cgi?id=57100
>
> Thanks, committed to trunk and proposed for 2.4.x.

I was about to propose a different patch which maybe is less intrusive
(does not require a new SSL_PROTOCOL_UNSET defined).
It simply initializes the base server's protocol with SSL_PROTOCOL_ALL
(as before) but the vhosts ones with SSL_PROTOCOL_NONE.
Then we can use cfgMerge(protocol, SSL_PROTOCOL_NONE) as proposed by Michael.

Something like (based on code before r1653906) :

Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c    (revision 1653011)
+++ modules/ssl/ssl_engine_config.c    (working copy)
@@ -97,7 +97,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
 **  _________________________________________________________________
 */

-static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
+static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p, int vh)
 {
     mctx->sc                  = NULL; /* set during module init */

@@ -110,7 +110,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
     mctx->ticket_key          = NULL;
 #endif

-    mctx->protocol            = SSL_PROTOCOL_ALL;
+    mctx->protocol            = vh ? SSL_PROTOCOL_NONE : SSL_PROTOCOL_ALL;

     mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
     mctx->pphrase_dialog_path = NULL;
@@ -161,14 +161,13 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
 #endif
 }

-static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
-                                  apr_pool_t *p)
+static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc, apr_pool_t *p, int vh)
 {
     modssl_ctx_t *mctx;

     mctx = sc->proxy = apr_palloc(p, sizeof(*sc->proxy));

-    modssl_ctx_init(mctx, p);
+    modssl_ctx_init(mctx, p, vh);

     mctx->pkp = apr_palloc(p, sizeof(*mctx->pkp));

@@ -179,14 +178,13 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
     mctx->pkp->ca_certs  = NULL;
 }

-static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
-                                   apr_pool_t *p)
+static void modssl_ctx_init_server(SSLSrvConfigRec *sc, apr_pool_t *p, int vh)
 {
     modssl_ctx_t *mctx;

     mctx = sc->server = apr_palloc(p, sizeof(*sc->server));

-    modssl_ctx_init(mctx, p);
+    modssl_ctx_init(mctx, p, vh);

     mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));

@@ -198,7 +196,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
 #endif
 }

-static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
+static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p, int vh)
 {
     SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc));

@@ -224,9 +222,9 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
 #endif
     sc->session_tickets        = UNSET;

-    modssl_ctx_init_proxy(sc, p);
+    modssl_ctx_init_proxy(sc, p, vh);

-    modssl_ctx_init_server(sc, p);
+    modssl_ctx_init_server(sc, p, vh);

     return sc;
 }
@@ -236,7 +234,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
  */
 void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
 {
-    SSLSrvConfigRec *sc = ssl_config_server_new(p);
+    SSLSrvConfigRec *sc = ssl_config_server_new(p, s->is_virtual);

     sc->mc = ssl_config_global_create(s);

@@ -254,7 +252,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
                                  modssl_ctx_t *add,
                                  modssl_ctx_t *mrg)
 {
-    cfgMerge(protocol, SSL_PROTOCOL_ALL);
+    cfgMerge(protocol, SSL_PROTOCOL_NONE);

     cfgMerge(pphrase_dialog_type, SSL_PPTYPE_UNSET);
     cfgMergeString(pphrase_dialog_path);
@@ -337,7 +335,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void
 {
     SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev;
     SSLSrvConfigRec *add  = (SSLSrvConfigRec *)addv;
-    SSLSrvConfigRec *mrg  = ssl_config_server_new(p);
+    SSLSrvConfigRec *mrg  = ssl_config_server_new(p, 1);

     cfgMerge(mc, NULL);
     cfgMerge(enabled, SSL_ENABLED_UNSET);
--

Mime
View raw message