httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: 2.4.17 test failure for mod_http2 (test 30-31, misdirected)
Date Sun, 11 Oct 2015 15:43:26 GMT
On Sun, Oct 11, 2015 at 4:24 PM, Rainer Jung <rainer.jung@kippdata.de> wrote:
> Am 11.10.2015 um 16:04 schrieb Rainer Jung:
>>
>> # testing : GET https://localhost:8532/misdirected
>> # expected: 421
>> # received: '404'
>> not ok 30
>> # Failed test 30 in t/modules/http2.t at line 129 fail #6
>> # testing : GET https://localhost:8532/misdirected
>> # expected: 421
>> # received: '404'
>> not ok 31
>>
>> Is this expected for 2.4? I didn't find anything about this in the
>> trace8 error log.
>>
>> Any hints how to debug? I was using OpenSSL 1.0.2c in the client (Perl
>> Test Framework) and 1.0.2d in the server.
>
>
> Don't know whether it is related, but there is a small delta between trunk
> modules/ssl/ssl_engine_kernel.c and 2.4.x:
>
> --- 2.4.x/modules/ssl/ssl_engine_kernel.c
> +++ trunk/modules/ssl/ssl_engine_kernel.c
> @@ -554,6 +529,8 @@
>       */
>      if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
>          (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
> +        SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
> +
>          /* remember old state */
>          verify_old = SSL_get_verify_mode(ssl);
>          /* configure new state */
> @@ -617,8 +623,6 @@
>              && renegotiate
>              && ((verify & SSL_VERIFY_PEER) ||
>                  (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
> -            SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
> -
>  #define MODSSL_CFG_CA_NE(f, sc1, sc2) \
>              (sc1->server->auth.f && \
>               (!sc2->server->auth.f || \

This change (hunk) may be the one which changed the 421 behaviour:

--- 2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ 2.4.x/modules/ssl/ssl_engine_kernel.c Mon Sep 28 13:06:31 2015
@@ -196,11 +195,12 @@ int ssl_hook_ReadReq(request_rec *r)
                             " provided in HTTP request", servername);
                 return HTTP_BAD_REQUEST;
             }
-            rv = apr_parse_addr_port(&host, &scope_id, &port,
r->hostname, r->pool);
-            if (rv != APR_SUCCESS || scope_id) {
-                return HTTP_BAD_REQUEST;
-            }
-            if (strcasecmp(host, servername)) {
+            if (r->server != handshakeserver) {
+                /*
+                 * We are really not in Kansas anymore...
+                 * The request does not select the virtual host that was
+                 * selected by the SNI.
+                 */
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
APLOGNO(02032)
                             "Hostname %s provided via SNI and
hostname %s provided"
                             " via HTTP are different", servername, host);

Previously we issued 421 based on the handshaken Host header vs the
current one, we now only control that request is still on the same
server.
So with no or the default vhost which can handle different requested
Host, there previously could be "refused" with 421 whereas now they
pass the ssl_Auth hook (which is OK since the SSL configuration
between the handshaken and this request has not changed).

Didn't look whether the test is still relevent (not much time for now,
sorry), but it might not be.
Hope this helps...

Mime
View raw message