From 0d46269f5bb473a083a216fc7d8a2dde0d964b3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Mon, 10 Nov 2025 17:03:58 +0100
Subject: [PATCH] SSL vhost SNI policy: Fix handling of STRICT mode.

Resolves: RHEL-125880 - mod_ssl: allow more fine grained SSL SNI vhost check
to avoid unnecessary 421 errors after CVE-2025-23048 fix
---
 httpd-2.4.63-sslvhostsnipolicy.patch | 53 ++++++++++++++--------------
 httpd.spec                           |  4 +--
 2 files changed, 29 insertions(+), 28 deletions(-)

diff --git a/httpd-2.4.63-sslvhostsnipolicy.patch b/httpd-2.4.63-sslvhostsnipolicy.patch
index fea888a..678c5d9 100644
--- a/httpd-2.4.63-sslvhostsnipolicy.patch
+++ b/httpd-2.4.63-sslvhostsnipolicy.patch
@@ -1,7 +1,7 @@
-From ba168444686368377c6e69373e20e6dae8ebb702 Mon Sep 17 00:00:00 2001
+From 165e748a40768183d5973c1f9866940bcbfc6ce8 Mon Sep 17 00:00:00 2001
 From: Joe Orton <jorton@apache.org>
-Date: Tue, 4 Nov 2025 12:49:36 +0100
-Subject: [PATCH] [PATCH] mod_ssl: Add SSLVHostSNIPolicy directive to set the
+Date: Mon, 10 Nov 2025 16:34:24 +0100
+Subject: [PATCH] mod_ssl: Add SSLVHostSNIPolicy directive to set the 
  compatibility level required for VirtualHost matching.
 
 For "secure" and "authonly" modes, a hash of the policy-relevant vhost
@@ -26,16 +26,16 @@ the runtime code complexity (and overhead).
 PR: 69743
 GitHub: closes #561
 ---
- docs/manual/mod/mod_ssl.html.en |  77 +++++++++++++++++++
+ docs/manual/mod/mod_ssl.html.en |  77 ++++++++++++++++++
  modules/ssl/mod_ssl.c           |   2 +
  modules/ssl/ssl_engine_config.c |  41 ++++++++++
- modules/ssl/ssl_engine_init.c   | 107 ++++++++++++++++++++++++++
- modules/ssl/ssl_engine_kernel.c | 131 ++++++--------------------------
- modules/ssl/ssl_private.h       |  17 +++++
- 6 files changed, 266 insertions(+), 109 deletions(-)
+ modules/ssl/ssl_engine_init.c   | 107 +++++++++++++++++++++++++
+ modules/ssl/ssl_engine_kernel.c | 133 ++++++--------------------------
+ modules/ssl/ssl_private.h       |  17 ++++
+ 6 files changed, 267 insertions(+), 110 deletions(-)
 
 diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
-index e2a4a99..95f0667 100644
+index 8d83c42..cd62af2 100644
 --- a/docs/manual/mod/mod_ssl.html.en
 +++ b/docs/manual/mod/mod_ssl.html.en
 @@ -125,6 +125,7 @@ to provide the cryptography engine.</p>
@@ -202,7 +202,7 @@ index c5dce7f..f856b18 100644
  
  const char *ssl_cmd_SSLStaplingCache(cmd_parms *cmd,
 diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
-index 2fbd076..1bf6ac4 100644
+index 5bf7a5b..6d89cc7 100644
 --- a/modules/ssl/ssl_engine_init.c
 +++ b/modules/ssl/ssl_engine_init.c
 @@ -30,6 +30,7 @@
@@ -334,7 +334,7 @@ index 2fbd076..1bf6ac4 100644
  
      /*
 diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
-index 33aa1f7..a6af633 100644
+index 33aa1f7..83ae90e 100644
 --- a/modules/ssl/ssl_engine_kernel.c
 +++ b/modules/ssl/ssl_engine_kernel.c
 @@ -101,112 +101,28 @@ static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)
@@ -371,7 +371,10 @@ index 33aa1f7..a6af633 100644
 -    }
 -    return 1;
 -}
--
++    /* Policy: strict => fail for any vhost transition. */
++    if (policy == MODSSL_SNIVH_STRICT)
++        return sc1 == sc2;
+ 
 -static int ssl_pk_server_compatible(modssl_pk_server_t *pks1, 
 -                                    modssl_pk_server_t *pks2) 
 -{
@@ -395,7 +398,10 @@ index 33aa1f7..a6af633 100644
 -    }
 -    return 1;
 -}
--
++    /* For authonly/secure policy, compare the hash. */
++    AP_DEBUG_ASSERT(sc1->sni_policy_hash);
++    AP_DEBUG_ASSERT(sc2->sni_policy_hash);
+ 
 -static int ssl_auth_compatible(modssl_auth_ctx_t *a1, 
 -                               modssl_auth_ctx_t *a2) 
 -{
@@ -440,21 +446,16 @@ index 33aa1f7..a6af633 100644
 -        || (ctx1->protocol != ctx2->protocol)
 -        || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth)
 -        || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) {
-+    /* Policy: strict => fail for any vhost transition. */
-+    if (policy == MODSSL_SNIVH_STRICT && sc1 != sc2)
-         return 0;
+-        return 0;
 -    }
 -    return 1;
 -}
- 
+-
 -static int ssl_server_compatible(server_rec *s1, server_rec *s2)
 -{
 -    SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL;
 -    SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL;
-+    /* For authonly/secure policy, compare the hash. */
-+    AP_DEBUG_ASSERT(sc1->sni_policy_hash);
-+    AP_DEBUG_ASSERT(sc2->sni_policy_hash);
- 
+-
 -    /* both use the same TLS protocol? */
 -    if (!sc1 || !sc2 
 -        || !ssl_ctx_compatible(sc1->server, sc2->server)) {
@@ -500,10 +501,10 @@ index 33aa1f7..a6af633 100644
          }
      }
 diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
-index 2b18189..dbef182 100644
+index 58f0e95..a74e277 100644
 --- a/modules/ssl/ssl_private.h
 +++ b/modules/ssl/ssl_private.h
-@@ -556,6 +556,19 @@ typedef struct {
+@@ -548,6 +548,19 @@ typedef struct {
      int          nBytes;
  } ssl_randseed_t;
  
@@ -523,7 +524,7 @@ index 2b18189..dbef182 100644
  /**
   * Define the structure of an ASN.1 anything
   */
-@@ -689,6 +702,8 @@ typedef struct {
+@@ -681,6 +694,8 @@ typedef struct {
  #ifdef HAVE_FIPS
      BOOL             fips;
  #endif
@@ -532,7 +533,7 @@ index 2b18189..dbef182 100644
  } SSLModConfigRec;
  
  /** Structure representing configured filenames for certs and keys for
-@@ -843,6 +858,7 @@ struct SSLSrvConfigRec {
+@@ -835,6 +850,7 @@ struct SSLSrvConfigRec {
      modssl_ctx_t    *server;
  #ifdef HAVE_TLSEXT
      ssl_enabled_t    strict_sni_vhost_check;
@@ -540,7 +541,7 @@ index 2b18189..dbef182 100644
  #endif
  #ifndef OPENSSL_NO_COMP
      BOOL             compression;
-@@ -918,6 +934,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
+@@ -910,6 +926,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
  const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
  const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
  const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
diff --git a/httpd.spec b/httpd.spec
index d799586..69c1be1 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -25,7 +25,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.63
-Release: 7%{?dist}
+Release: 8%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -846,7 +846,7 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
-* Thu Nov 06 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.63-7
+* Thu Nov 06 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.63-8
 - Resolves: RHEL-125880 - mod_ssl: allow more fine grained SSL SNI vhost check
   to avoid unnecessary 421 errors after CVE-2025-23048 fix