- mod_ssl: add conf.d/snipolicy.conf to set 'SSLVHostSNIPolicy authonly' default

Resolves: RHEL-119000
2025-11-07 11:02:42 +00:00 · 2025-11-07 11:02:42 +00:00 · 9f7c4b3c9c
commit 9f7c4b3c9c
parent c28866c1a2
3 changed files with 45 additions and 22 deletions
--- a/httpd-2.4.62-sslvhostsnipolicy.patch
+++ b/httpd-2.4.62-sslvhostsnipolicy.patch
@ -1,8 +1,8 @@
-From be810abbbe42651a357f5e6a40d0d495e20ce206 Mon Sep 17 00:00:00 2001
+From f063cc14f9aae9c19de45dfa3c48828a75249e05 Mon Sep 17 00:00:00 2001
 From: Joe Orton <jorton@apache.org>
-Date: Thu, 6 Nov 2025 16:11:14 +0100
-Subject: [PATCH] mod_ssl: Add SSLVHostSNIPolicy directive to set the compatibility 
-level required for VirtualHost matching.
+Date: Tue, 11 Nov 2025 10:23:22 +0100
+Subject: [PATCH] mod_ssl: Add SSLVHostSNIPolicy directive to set the
+ compatibility level required for VirtualHost matching.

 For "secure" and "authonly" modes, a hash of the policy-relevant vhost
 configuration is created and stored in the post_config hooks, reducing
@ -26,13 +26,13 @@ the runtime code complexity (and overhead).
 PR: 69743
 GitHub: closes #561
 ---
- docs/manual/mod/mod_ssl.html.en |  77 +++++++++++++++++++
+ docs/manual/mod/mod_ssl.html.en |  77 ++++++++++++++++++
 modules/ssl/mod_ssl.c           |   2 +
 modules/ssl/ssl_engine_config.c |  41 ++++++++++
- modules/ssl/ssl_engine_init.c   | 107 ++++++++++++++++++++++++++
- modules/ssl/ssl_engine_kernel.c | 131 ++++++--------------------------
- modules/ssl/ssl_private.h       |  17 +++++
- 6 files changed, 266 insertions(+), 109 deletions(-)
+ modules/ssl/ssl_engine_init.c   | 107 +++++++++++++++++++++++++
+ modules/ssl/ssl_engine_kernel.c | 133 ++++++--------------------------
+ modules/ssl/ssl_private.h       |  17 ++++
+ 6 files changed, 267 insertions(+), 110 deletions(-)

 diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
 index 3fc8a48..6a929ea 100644
@ -334,7 +334,7 @@ index 309a7a4..6208564 100644
 
     /*
 diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
-index 33aa1f7..a6af633 100644
+index 33aa1f7..83ae90e 100644
 --- a/modules/ssl/ssl_engine_kernel.c
 +++ b/modules/ssl/ssl_engine_kernel.c
@@ -101,112 +101,28 @@ static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)
@ -371,7 +371,10 @@ index 33aa1f7..a6af633 100644
 -    }
 -    return 1;
 -}
-
+    /* Policy: strict => fail for any vhost transition. */
+    if (policy == MODSSL_SNIVH_STRICT)
+        return sc1 == sc2;
+ 
 -static int ssl_pk_server_compatible(modssl_pk_server_t *pks1, 
 -                                    modssl_pk_server_t *pks2) 
 -{
@ -395,7 +398,10 @@ index 33aa1f7..a6af633 100644
 -    }
 -    return 1;
 -}
-
+    /* For authonly/secure policy, compare the hash. */
+    AP_DEBUG_ASSERT(sc1->sni_policy_hash);
+    AP_DEBUG_ASSERT(sc2->sni_policy_hash);
+ 
 -static int ssl_auth_compatible(modssl_auth_ctx_t *a1, 
 -                               modssl_auth_ctx_t *a2) 
 -{
@ -440,21 +446,16 @@ index 33aa1f7..a6af633 100644
 -        || (ctx1->protocol != ctx2->protocol)
 -        || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth)
 -        || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) {
-+    /* Policy: strict => fail for any vhost transition. */
-+    if (policy == MODSSL_SNIVH_STRICT && sc1 != sc2)
-         return 0;
+-        return 0;
 -    }
 -    return 1;
 -}
- 
+-
 -static int ssl_server_compatible(server_rec *s1, server_rec *s2)
 -{
 -    SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL;
 -    SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL;
-+    /* For authonly/secure policy, compare the hash. */
-+    AP_DEBUG_ASSERT(sc1->sni_policy_hash);
-+    AP_DEBUG_ASSERT(sc2->sni_policy_hash);
- 
+-
 -    /* both use the same TLS protocol? */
 -    if (!sc1 || !sc2 
 -        || !ssl_ctx_compatible(sc1->server, sc2->server)) {
--- a/httpd.spec
+++ b/httpd.spec
@ -4,6 +4,7 @@
 %define mmn 20120211
 %define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
 %define vstring %(source /etc/os-release; echo ${NAME})
+%define vprefix %(source /etc/os-release; echo ${ID})
 %if 0%{?fedora} > 26 || 0%{?rhel} > 7
 %global mpm event
 %else
@ -53,6 +54,7 @@ Source32: httpd.service.xml
 Source33: htcacheclean.service.xml
 Source34: httpd.conf.xml
 Source35: 00-brotli.conf
+Source36: snipolicy.conf
 Source40: htcacheclean.service
 Source41: htcacheclean.sysconf
 Source42: httpd-init.service
@ -339,7 +341,7 @@ xmlto man $RPM_SOURCE_DIR/httpd.service.xml
 xmlto man %{SOURCE47}

 : Building with MMN %{mmn}, MMN-ISA %{mmnisa}
-: Default MPM is %{mpm}, vendor string is '%{vstring}'
+: Default MPM is %{mpm}, vendor string is '%{vstring}', prefix is '%{vprefix}'

 %build
 # forcibly prevent use of bundled apr, apr-util, pcre
@ -444,10 +446,12 @@ mkdir $RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d
 install -m 644 -p $RPM_SOURCE_DIR/10-listen443.conf \
      $RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d/10-listen443.conf

-for f in welcome.conf ssl.conf manual.conf userdir.conf; do
+for f in welcome.conf ssl.conf manual.conf userdir.conf snipolicy.conf; do
  install -m 644 -p $RPM_SOURCE_DIR/$f \
        $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/$f
 done
+mv $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/snipolicy.conf \
+   $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/%{vprefix}-snipolicy.conf

 # Split-out extra config shipped as default in conf.d:
 for f in autoindex; do
@ -731,6 +735,7 @@ exit $rv

 %config(noreplace) %{_sysconfdir}/httpd/conf.d/*.conf
 %exclude %{_sysconfdir}/httpd/conf.d/ssl.conf
+%exclude %{_sysconfdir}/httpd/conf.d/*snipolicy.conf
 %exclude %{_sysconfdir}/httpd/conf.d/manual.conf

 %dir %{_sysconfdir}/httpd/conf.modules.d
@ -816,6 +821,7 @@ exit $rv
 %{_libdir}/httpd/modules/mod_ssl.so
 %config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/00-ssl.conf
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf
+%config(noreplace) %{_sysconfdir}/httpd/conf.d/*snipolicy.conf
 %attr(0700,apache,root) %dir %{_localstatedir}/cache/httpd/ssl
 %{_unitdir}/httpd-init.service
 %{_libexecdir}/httpd-ssl-pass-dialog
@ -855,6 +861,7 @@ exit $rv
 * Thu Nov 06 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-10
 - Resolves: RHEL-119000 - mod_ssl: allow more fine grained SSL SNI vhost check
  to avoid unnecessary 421 errors after CVE-2025-23048 fix
+- mod_ssl: add conf.d/snipolicy.conf to set 'SSLVHostSNIPolicy authonly' default

 * Fri Oct 24 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-9
 - Resolves: RHEL-105446 - mod_proxy_hcheck may stop healthchecks after a child
--- a/snipolicy.conf
+++ b/snipolicy.conf
@ -0,0 +1,15 @@
+#
+# Vendor override: Set the default SNI virtual host policy to "authonly"
+# to preserve compatibility between virtual hosts which differ only in
+# certificate or key configuration. This overrides the hard-coded
+# mod_ssl default mode of "secure".
+#
+# See the directive documentation for more information:
+# https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslvhostsnipolicy
+#
+# NOTE: if this file is removed, it will be restored on upgrades.
+# To disable the override, comment-out the lines below.
+#
+<IfDirective SSLVHostSNIPolicy>
+  SSLVHostSNIPolicy authonly
+</IfDirective>