rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

mod_ssl: ignore SNI hints unless required by config

Browse Source
This commit is contained in:
Jan Kaluza 2013-04-18 07:50:29 +02:00
parent 9de9bf8dd6
commit 08bb147aa8
2 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
httpd-2.4.3-sslsninotreq.patch Normal file
View File

@ -0,0 +1,83 @@
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 15993f1..53ed6f1 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
mc->pPool = pool;
mc->bFixed = FALSE;
+ mc->sni_required = FALSE;
/*
* initialize per-module configuration
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index bf1f0e4..a7523de 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -409,7 +409,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
/*
* Configuration consistency checks
*/
- ssl_init_CheckServers(base_server, ptemp);
+ ssl_init_CheckServers(mc, base_server, ptemp);
/*
* Announce mod_ssl and SSL library in HTTP Server field
@@ -1475,7 +1475,7 @@ void ssl_init_ConfigureServer(server_rec *s,
}
}
-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
{
server_rec *s, *ps;
SSLSrvConfigRec *sc;
@@ -1557,6 +1557,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
}
if (conflict) {
+ mc->sni_required = TRUE;
#ifdef OPENSSL_NO_TLSEXT
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
"Init: You should not use name-based "
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index bc9e26b..2460f01 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r)
return DECLINED;
}
#ifndef OPENSSL_NO_TLSEXT
+ if (myModConfig(r->server)->sni_required) {
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
char *host, *scope_id;
apr_port_t port;
@@ -206,6 +207,7 @@ int ssl_hook_ReadReq(request_rec *r)
" virtual host");
return HTTP_FORBIDDEN;
}
+ }
#endif
SSL_set_app_data2(ssl, r);
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 75fc0e3..31dbfa9 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -554,6 +554,7 @@ typedef struct {
struct {
void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
} rCtx;
+ BOOL sni_required;
} SSLModConfigRec;
/** Structure representing configured filenames for certs and keys for
@@ -786,7 +787,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
void ssl_init_Engine(server_rec *, apr_pool_t *);
void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
-void ssl_init_CheckServers(server_rec *, apr_pool_t *);
+void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
STACK_OF(X509_NAME)
*ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
void ssl_init_Child(apr_pool_t *, server_rec *);

3
httpd.spec
View File

@ -61,6 +61,7 @@ Patch28: httpd-2.4.4-r1332643+.patch
Patch29: httpd-2.4.3-mod_systemd.patch Patch29: httpd-2.4.3-mod_systemd.patch
# Bug fixes # Bug fixes
Patch50: httpd-2.4.2-r1374214+.patch Patch50: httpd-2.4.2-r1374214+.patch
Patch51: httpd-2.4.3-sslsninotreq.patch
License: ASL 2.0 License: ASL 2.0
Group: System Environment/Daemons Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -182,6 +183,7 @@ interface for storing and accessing per-user session data.
%patch29 -p1 -b .systemd %patch29 -p1 -b .systemd
%patch50 -p1 -b .r1374214+ %patch50 -p1 -b .r1374214+
%patch51 -p1 -b .sninotreq
# Patch in the vendor string # Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -606,6 +608,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog %changelog
* Thu Apr 18 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.4-5 * Thu Apr 18 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.4-5
- execute systemctl reload as result of apachectl graceful - execute systemctl reload as result of apachectl graceful
- mod_ssl: ignore SNI hints unless required by config
* Tue Apr 16 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.4-4 * Tue Apr 16 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.4-4
- fix service file to not send SIGTERM after ExecStop (#906321, #912288) - fix service file to not send SIGTERM after ExecStop (#906321, #912288)