From 08bb147aa83f48166b24cba779498f2df29baf5d Mon Sep 17 00:00:00 2001 From: Jan Kaluza Date: Thu, 18 Apr 2013 07:50:29 +0200 Subject: [PATCH] mod_ssl: ignore SNI hints unless required by config --- httpd-2.4.3-sslsninotreq.patch | 83 ++++++++++++++++++++++++++++++++++ httpd.spec | 3 ++ 2 files changed, 86 insertions(+) create mode 100644 httpd-2.4.3-sslsninotreq.patch diff --git a/httpd-2.4.3-sslsninotreq.patch b/httpd-2.4.3-sslsninotreq.patch new file mode 100644 index 0000000..6e158c6 --- /dev/null +++ b/httpd-2.4.3-sslsninotreq.patch @@ -0,0 +1,83 @@ +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 15993f1..53ed6f1 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s) + mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc)); + mc->pPool = pool; + mc->bFixed = FALSE; ++ mc->sni_required = FALSE; + + /* + * initialize per-module configuration +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index bf1f0e4..a7523de 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -409,7 +409,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + /* + * Configuration consistency checks + */ +- ssl_init_CheckServers(base_server, ptemp); ++ ssl_init_CheckServers(mc, base_server, ptemp); + + /* + * Announce mod_ssl and SSL library in HTTP Server field +@@ -1475,7 +1475,7 @@ void ssl_init_ConfigureServer(server_rec *s, + } + } + +-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) ++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p) + { + server_rec *s, *ps; + SSLSrvConfigRec *sc; +@@ -1557,6 +1557,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) + } + + if (conflict) { ++ mc->sni_required = TRUE; + #ifdef OPENSSL_NO_TLSEXT + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) + "Init: You should not use name-based " +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index bc9e26b..2460f01 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r) + return DECLINED; + } + #ifndef OPENSSL_NO_TLSEXT ++ if (myModConfig(r->server)->sni_required) { + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { + char *host, *scope_id; + apr_port_t port; +@@ -206,6 +207,7 @@ int ssl_hook_ReadReq(request_rec *r) + " virtual host"); + return HTTP_FORBIDDEN; + } ++ } + #endif + SSL_set_app_data2(ssl, r); + +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index 75fc0e3..31dbfa9 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -554,6 +554,7 @@ typedef struct { + struct { + void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; + } rCtx; ++ BOOL sni_required; + } SSLModConfigRec; + + /** Structure representing configured filenames for certs and keys for +@@ -786,7 +787,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); + int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *); + void ssl_init_Engine(server_rec *, apr_pool_t *); + void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *); +-void ssl_init_CheckServers(server_rec *, apr_pool_t *); ++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *); + STACK_OF(X509_NAME) + *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *); + void ssl_init_Child(apr_pool_t *, server_rec *); diff --git a/httpd.spec b/httpd.spec index b9851a7..33f6c51 100644 --- a/httpd.spec +++ b/httpd.spec @@ -61,6 +61,7 @@ Patch28: httpd-2.4.4-r1332643+.patch Patch29: httpd-2.4.3-mod_systemd.patch # Bug fixes Patch50: httpd-2.4.2-r1374214+.patch +Patch51: httpd-2.4.3-sslsninotreq.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -182,6 +183,7 @@ interface for storing and accessing per-user session data. %patch29 -p1 -b .systemd %patch50 -p1 -b .r1374214+ +%patch51 -p1 -b .sninotreq # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -606,6 +608,7 @@ rm -rf $RPM_BUILD_ROOT %changelog * Thu Apr 18 2013 Jan Kaluza - 2.4.4-5 - execute systemctl reload as result of apachectl graceful +- mod_ssl: ignore SNI hints unless required by config * Tue Apr 16 2013 Jan Kaluza - 2.4.4-4 - fix service file to not send SIGTERM after ExecStop (#906321, #912288)