[httpd] mod_ssl: ignore SNI hints unless required by config

Jan Kaluža jkaluza at fedoraproject.org
Thu Apr 18 06:47:31 UTC 2013 

commit 08bb147aa83f48166b24cba779498f2df29baf5d
Author: Jan Kaluza <hanzz.k at gmail.com>
Date:   Thu Apr 18 07:50:29 2013 +0200

    mod_ssl: ignore SNI hints unless required by config

 httpd-2.4.3-sslsninotreq.patch |   83 ++++++++++++++++++++++++++++++++++++++++
 httpd.spec                     |    3 +
 2 files changed, 86 insertions(+), 0 deletions(-)
---
diff --git a/httpd-2.4.3-sslsninotreq.patch b/httpd-2.4.3-sslsninotreq.patch
new file mode 100644
index 0000000..6e158c6
--- /dev/null
+++ b/httpd-2.4.3-sslsninotreq.patch
@@ -0,0 +1,83 @@
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 15993f1..53ed6f1 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
+     mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
+     mc->pPool = pool;
+     mc->bFixed = FALSE;
++    mc->sni_required = FALSE;
+ 
+     /*
+      * initialize per-module configuration
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index bf1f0e4..a7523de 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -409,7 +409,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+     /*
+      * Configuration consistency checks
+      */
+-    ssl_init_CheckServers(base_server, ptemp);
++    ssl_init_CheckServers(mc, base_server, ptemp);
+ 
+     /*
+      *  Announce mod_ssl and SSL library in HTTP Server field
+@@ -1475,7 +1475,7 @@ void ssl_init_ConfigureServer(server_rec *s,
+     }
+ }
+ 
+-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
+ {
+     server_rec *s, *ps;
+     SSLSrvConfigRec *sc;
+@@ -1557,6 +1557,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+     }
+ 
+     if (conflict) {
++        mc->sni_required = TRUE;
+ #ifdef OPENSSL_NO_TLSEXT
+         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
+                      "Init: You should not use name-based "
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index bc9e26b..2460f01 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r)
+         return DECLINED;
+     }
+ #ifndef OPENSSL_NO_TLSEXT
++    if (myModConfig(r->server)->sni_required) {
+     if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+         char *host, *scope_id;
+         apr_port_t port;
+@@ -206,6 +207,7 @@ int ssl_hook_ReadReq(request_rec *r)
+                      " virtual host");
+         return HTTP_FORBIDDEN;
+     }
++    }
+ #endif
+     SSL_set_app_data2(ssl, r);
+ 
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index 75fc0e3..31dbfa9 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -554,6 +554,7 @@ typedef struct {
+     struct {
+         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
+     } rCtx;
++    BOOL            sni_required;
+ } SSLModConfigRec;
+ 
+ /** Structure representing configured filenames for certs and keys for
+@@ -786,7 +787,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
+ int          ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
+ void         ssl_init_Engine(server_rec *, apr_pool_t *);
+ void         ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
+-void         ssl_init_CheckServers(server_rec *, apr_pool_t *);
++void         ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
+ STACK_OF(X509_NAME)
+             *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
+ void         ssl_init_Child(apr_pool_t *, server_rec *);
diff --git a/httpd.spec b/httpd.spec
index b9851a7..33f6c51 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -61,6 +61,7 @@ Patch28: httpd-2.4.4-r1332643+.patch
 Patch29: httpd-2.4.3-mod_systemd.patch
 # Bug fixes
 Patch50: httpd-2.4.2-r1374214+.patch
+Patch51: httpd-2.4.3-sslsninotreq.patch
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -182,6 +183,7 @@ interface for storing and accessing per-user session data.
 %patch29 -p1 -b .systemd
 
 %patch50 -p1 -b .r1374214+
+%patch51 -p1 -b .sninotreq
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -606,6 +608,7 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Thu Apr 18 2013 Jan Kaluza <jkaluza at redhat.com> - 2.4.4-5
 - execute systemctl reload as result of apachectl graceful
+- mod_ssl: ignore SNI hints unless required by config
 
 * Tue Apr 16 2013 Jan Kaluza <jkaluza at redhat.com> - 2.4.4-4
 - fix service file to not send SIGTERM after ExecStop (#906321, #912288)

More information about the scm-commits mailing list