httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: 2.4.3x regression w/SSL vhost configs
Date Fri, 13 Apr 2018 11:55:40 GMT
On Fri, Apr 13, 2018 at 1:11 PM, Joe Orton <jorton@redhat.com> wrote:
>
> TL;DR:
> 1. my head hurts
> 2. I think my patch is OK
>
> Anyone read this far?

Yep, I was about to write almost the same long one too :)

One thing to add maybe.
At runtime, *with SNI*, when ssl_callback_ServerNameIndication() gets
called and ap_vhost_iterate_given_conn()::ssl_find_vhost() reaches the
second nvh (beta, with no SSL) corresponding to the SNI, we do
SSL_set_SSL_CTX to switch the SSL's SSL_CTX from
SSLSrvConfig(alpha)->ssl_ctx (pre-set at ssl_hook_pre_connection()
time) to SSLSrvConfig(beta)->ssl_ctx -- sorry for the overlong
sentence.
However here SSLSrvConfig(beta)->ssl_ctx is NULL (No SSL* directive
configured), so SSL_set_SSL_CTX(ssl, NULL) ends up preserving alpha's
and thus we continue with the context of alpha to handle the
connection.

This doesn't look right to me, maybe it is for compatibility on 2.4.x,
but I feel that we should bail out there since beta has really nothing
to do with accepting SSL connections if not explicitely configured to
(is the port in VirtualHost a good criteria? no own SSLCertificate
really? browsers will complain any with no wildcard magic).


Regards,
Yann.

Mime
View raw message