Context Navigation

source: server/common/patches/httpd-2.2.x-sni.patch @ 1102

Last change on this file since 1102 was 1102, checked in by mitchb, 15 years ago
Update to current version of the 2.2.x SNI patch
File size: 20.8 KB

Rev	Line
[1102]	1	httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
	2	(see RFC 4366, "Transport Layer Security (TLS) Extensions")
[683]	3
[1102]	4	Last updated 2009-04-08
[683]	5
[1102]	6	based on a patch from the EdelKey project
	7	(http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
[683]	8
[1102]	9	Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
	10	to work properly (ftp://ftp.openssl.org/snapshot/). OpenSSL versions
	11	prior to 0.9.8j must be configured explicitly for TLS extension support
	12	at compile time ("./config enable-tlsext").
	13
[683]	14	Index: httpd-2.2.x/modules/ssl/ssl_private.h
	15	===================================================================
[1102]	16	--- httpd-2.2.x/modules/ssl/ssl_private.h (revision 763153)
[683]	17	+++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy)
	18	@@ -35,6 +35,7 @@
	19	#include "http_connection.h"
	20	#include "http_request.h"
	21	#include "http_protocol.h"
	22	+#include "http_vhost.h"
	23	#include "util_script.h"
	24	#include "util_filter.h"
	25	#include "util_ebcdic.h"
[1102]	26	@@ -562,6 +563,9 @@ int ssl_callback_NewSessionCacheEntry(SSL
[683]	27	SSL_SESSION ssl_callback_GetSessionCacheEntry(SSL , unsigned char , int, int );
	28	void ssl_callback_DelSessionCacheEntry(SSL_CTX , SSL_SESSION );
	29	void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
	30	+#ifndef OPENSSL_NO_TLSEXT
	31	+int ssl_callback_ServerNameIndication(SSL , int , modssl_ctx_t *);
	32	+#endif
	33
	34	/** Session Cache Support */
	35	void ssl_scache_init(server_rec , apr_pool_t );
	36	Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
	37	===================================================================
[1102]	38	--- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 763153)
[683]	39	+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy)
[1102]	40	@@ -358,6 +358,33 @@ static void ssl_init_server_check(server_rec *s,
[683]	41	}
	42	}
	43
	44	+#ifndef OPENSSL_NO_TLSEXT
	45	+static void ssl_init_ctx_tls_extensions(server_rec *s,
	46	+ apr_pool_t *p,
	47	+ apr_pool_t *ptemp,
	48	+ modssl_ctx_t *mctx)
	49	+{
	50	+ /*
	51	+ * Configure TLS extensions support
	52	+ */
	53	+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
	54	+ "Configuring TLS extension handling");
	55	+
	56	+ /*
	57	+ * Server name indication (SNI)
	58	+ */
	59	+ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
	60	+ ssl_callback_ServerNameIndication) \|\|
	61	+ !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {
	62	+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
	63	+ "Unable to initialize TLS servername extension "
	64	+ "callback (incompatible OpenSSL version?)");
	65	+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
	66	+ ssl_die();
	67	+ }
	68	+}
	69	+#endif
	70	+
	71	static void ssl_init_ctx_protocol(server_rec *s,
	72	apr_pool_t *p,
	73	apr_pool_t *ptemp,
[1102]	74	@@ -690,6 +717,9 @@ static void ssl_init_ctx(server_rec *s,
[683]	75	if (mctx->pks) {
	76	/* XXX: proxy support? */
	77	ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
	78	+#ifndef OPENSSL_NO_TLSEXT
	79	+ ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
	80	+#endif
	81	}
	82	}
	83
[1102]	84	@@ -1039,9 +1069,19 @@ void ssl_init_CheckServers(server_rec *base_server
[816]	85	klen = strlen(key);
	86
[683]	87	if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
[816]	88	- ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
	89	+ ap_log_error(APLOG_MARK,
	90	+#ifdef OPENSSL_NO_TLSEXT
	91	+ APLOG_WARNING,
	92	+#else
	93	+ APLOG_DEBUG,
	94	+#endif
	95	+ 0,
[683]	96	base_server,
	97	+#ifdef OPENSSL_NO_TLSEXT
	98	"Init: SSL server IP/port conflict: "
	99	+#else
	100	+ "Init: SSL server IP/port overlap: "
	101	+#endif
	102	"%s (%s:%d) vs. %s (%s:%d)",
	103	ssl_util_vhostid(p, s),
	104	(s->defn_name ? s->defn_name : "unknown"),
[1102]	105	@@ -1058,8 +1098,14 @@ void ssl_init_CheckServers(server_rec *base_server
[683]	106
	107	if (conflict) {
	108	ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
	109	+#ifdef OPENSSL_NO_TLSEXT
	110	"Init: You should not use name-based "
	111	"virtual hosts in conjunction with SSL!!");
	112	+#else
	113	+ "Init: Name-based SSL virtual hosts only "
	114	+ "work for clients with TLS server name indication "
	115	+ "support (RFC 4366)");
	116	+#endif
	117	}
	118	}
	119
	120	Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c
	121	===================================================================
[1102]	122	--- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 763153)
[683]	123	+++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy)
[1102]	124	@@ -320,6 +320,12 @@ static char ssl_var_lookup_ssl(apr_pool_t p, con
[683]	125	else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
	126	result = ssl_var_lookup_ssl_compress_meth(ssl);
	127	}
	128	+#ifndef OPENSSL_NO_TLSEXT
	129	+ else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
	130	+ result = apr_pstrdup(p, SSL_get_servername(ssl,
	131	+ TLSEXT_NAMETYPE_host_name));
	132	+ }
	133	+#endif
	134	return result;
	135	}
	136
	137	Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
	138	===================================================================
[1102]	139	--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 763153)
[683]	140	+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
	141	@@ -31,6 +31,9 @@
	142	#include "ssl_private.h"
	143
	144	static void ssl_configure_env(request_rec r, SSLConnRec sslconn);
	145	+#ifndef OPENSSL_NO_TLSEXT
	146	+static int ssl_find_vhost(void servername, conn_rec c, server_rec *s);
	147	+#endif
	148
	149	/*
	150	* Post Read Request Handler
[816]	151	@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r)
[683]	152	{
	153	SSLConnRec *sslconn = myConnConfig(r->connection);
	154	SSL *ssl;
	155	+#ifndef OPENSSL_NO_TLSEXT
	156	+ const char *servername;
	157	+#endif
	158
	159	if (!sslconn) {
	160	return DECLINED;
[1102]	161	@@ -87,6 +93,34 @@ int ssl_hook_ReadReq(request_rec *r)
[683]	162	if (!ssl) {
	163	return DECLINED;
	164	}
	165	+#ifndef OPENSSL_NO_TLSEXT
[1102]	166	+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
	167	+ char host, scope_id;
	168	+ apr_port_t port;
	169	+ apr_status_t rv;
	170	+
	171	+ /*
	172	+ * The SNI extension supplied a hostname. So don't accept requests
	173	+ * with either no hostname or a different hostname.
	174	+ */
	175	+ if (!r->hostname) {
	176	+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
	177	+ "Hostname %s provided via SNI, but no hostname"
	178	+ " provided in HTTP request", servername);
	179	+ return HTTP_BAD_REQUEST;
	180	+ }
	181	+ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
	182	+ if (rv != APR_SUCCESS \|\| scope_id) {
	183	+ return HTTP_BAD_REQUEST;
	184	+ }
	185	+ if (strcmp(host, servername)) {
	186	+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
	187	+ "Hostname %s provided via SNI and hostname %s provided"
	188	+ " via HTTP are different", servername, host);
	189	+ return HTTP_BAD_REQUEST;
	190	+ }
[683]	191	+ }
	192	+#endif
	193	SSL_set_app_data2(ssl, r);
	194
	195	/*
[1102]	196	@@ -252,7 +286,7 @@ int ssl_hook_Access(request_rec *r)
[816]	197	* has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
	198	* implicit optimizations.
	199	*/
	200	- if (dc->szCipherSuite) {
	201	+ if (dc->szCipherSuite \|\| (r->server != r->connection->base_server)) {
	202	/* remember old state */
	203
	204	if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
[1102]	205	@@ -267,7 +301,10 @@ int ssl_hook_Access(request_rec *r)
[816]	206	}
	207
	208	/* configure new state */
	209	- if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
[1102]	210	+ if ((dc->szCipherSuite \|\| sc->server->auth.cipher_suite) &&
	211	+ !modssl_set_cipher_list(ssl, dc->szCipherSuite ?
	212	+ dc->szCipherSuite :
	213	+ sc->server->auth.cipher_suite)) {
[816]	214	ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
	215	r->server,
	216	"Unable to reconfigure (per-directory) "
[1102]	217	@@ -334,8 +371,13 @@ int ssl_hook_Access(request_rec *r)
[816]	218	sk_SSL_CIPHER_free(cipher_list_old);
	219	}
	220
	221	- /* tracing */
	222	if (renegotiate) {
	223	+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
	224	+ if (sc->cipher_server_pref == TRUE) {
	225	+ SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
	226	+ }
	227	+#endif
	228	+ /* tracing */
	229	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
	230	"Reconfigured cipher suite will force renegotiation");
	231	}
[1102]	232	@@ -353,19 +395,15 @@ int ssl_hook_Access(request_rec *r)
[816]	233	* currently active/remembered verify depth (because this means more
	234	* restriction on the certificate chain).
	235	*/
	236	- if (dc->nVerifyDepth != UNSET) {
[1102]	237	- /* XXX: doesnt look like sslconn->verify_depth is actually used */
	238	- if (!(n = sslconn->verify_depth)) {
	239	- sslconn->verify_depth = n = sc->server->auth.verify_depth;
	240	- }
	241	-
	242	- /* determine whether a renegotiation has to be forced */
	243	- if (dc->nVerifyDepth < n) {
	244	- renegotiate = TRUE;
	245	- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
	246	- "Reduced client verification depth will force "
	247	- "renegotiation");
	248	- }
	249	+ n = sslconn->verify_depth;
	250	+ sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
	251	+ dc->nVerifyDepth : sc->server->auth.verify_depth;
	252	+ if ((sslconn->verify_depth < n) \|\|
	253	+ ((n == 0) && (sc->server->auth.verify_depth == 0))) {
	254	+ renegotiate = TRUE;
	255	+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
	256	+ "Reduced client verification depth will force "
	257	+ "renegotiation");
	258	}
[816]	259
[1102]	260	/*
	261	@@ -382,18 +420,22 @@ int ssl_hook_Access(request_rec *r)
[816]	262	* verification but at least skip the I/O-intensive renegotation
	263	* handshake.
	264	*/
	265	- if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
	266	+ if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) \|\|
	267	+ (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
	268	/* remember old state */
	269	verify_old = SSL_get_verify_mode(ssl);
	270	/* configure new state */
	271	verify = SSL_VERIFY_NONE;
	272
	273	- if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
	274	+ if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) \|\|
	275	+ (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) {
	276	verify \|= SSL_VERIFY_PEER_STRICT;
	277	}
	278
	279	if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) \|\|
	280	- (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
	281	+ (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) \|\|
	282	+ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) \|\|
	283	+ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
	284	{
	285	verify \|= SSL_VERIFY_PEER;
	286	}
[1102]	287	@@ -491,6 +533,40 @@ int ssl_hook_Access(request_rec *r)
[816]	288	"Changed client verification locations will force "
	289	"renegotiation");
	290	}
	291	+#else
	292	+#ifndef OPENSSL_NO_TLSEXT
	293	+#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
	294	+ (sc1->server->auth.f && \
	295	+ (!sc2->server->auth.f \|\| \
	296	+ sc2->server->auth.f && strNE(sc1->server->auth.f, sc2->server->auth.f)))
	297	+
	298	+ /* If we're handling a request for a vhost other than the default one,
	299	+ * then we need to make sure that client authentication is properly
	300	+ * enforced. For clients supplying an SNI extension, the peer certificate
	301	+ * verification has happened in the handshake already (and r->server
	302	+ * has been set to r->connection->base_server). For non-SNI requests,
	303	+ * an additional check is needed here. If client authentication is
	304	+ * configured as mandatory, then we can only proceed if the CA list
	305	+ * doesn't have to be changed (SSL_set_cert_store() would be required
	306	+ * for this).
	307	+ */
	308	+ if ((r->server != r->connection->base_server) &&
	309	+ (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
	310	+ renegotiate &&
	311	+ !(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
	312	+ SSLSrvConfigRec *bssc = mySrvConfig(r->connection->base_server);
	313	+
	314	+ if (MODSSL_CFG_CA_NE(ca_cert_file, sc, bssc) \|\|
	315	+ MODSSL_CFG_CA_NE(ca_cert_path, sc, bssc)) {
	316	+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
	317	+ "Non-default virtual host with SSLVerify set to 'require' "
	318	+ "and VirtualHost-specific CA certificate list is only "
	319	+ "supported for clients with TLS server name indication "
	320	+ "(SNI) support");
	321	+ return HTTP_FORBIDDEN;
	322	+ }
	323	+ }
	324	+#endif /* OPENSSL_NO_TLSEXT */
	325	#endif /* HAVE_SSL_SET_CERT_STORE */
	326
	327	/* If a renegotiation is now required for this location, and the
[1102]	328	@@ -675,8 +751,10 @@ int ssl_hook_Access(request_rec *r)
[816]	329	/*
	330	* Finally check for acceptable renegotiation results
	331	*/
	332	- if (dc->nVerifyClient != SSL_CVERIFY_NONE) {
	333	- BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE);
	334	+ if ((dc->nVerifyClient != SSL_CVERIFY_NONE) \|\|
	335	+ (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
	336	+ BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) \|\|
	337	+ (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
	338
	339	if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
	340	ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
[1102]	341	@@ -1006,6 +1084,9 @@ int ssl_hook_Fixup(request_rec *r)
[683]	342	SSLDirConfigRec *dc = myDirConfig(r);
	343	apr_table_t *env = r->subprocess_env;
	344	char var, val = "";
	345	+#ifndef OPENSSL_NO_TLSEXT
	346	+ const char *servername;
	347	+#endif
	348	STACK_OF(X509) *peer_certs;
	349	SSL *ssl;
	350	int i;
[1102]	351	@@ -1027,6 +1108,13 @@ int ssl_hook_Fixup(request_rec *r)
[683]	352	/* the always present HTTPS (=HTTP over SSL) flag! */
	353	apr_table_setn(env, "HTTPS", "on");
	354
	355	+#ifndef OPENSSL_NO_TLSEXT
	356	+ /* add content of SNI TLS extension (if supplied with ClientHello) */
	357	+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
	358	+ apr_table_set(env, "SSL_TLS_SNI", servername);
	359	+ }
	360	+#endif
	361	+
	362	/* standard SSL environment variables */
	363	if (dc->nOptions & SSL_OPT_STDENVVARS) {
	364	for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
[1102]	365	@@ -1175,8 +1263,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
[816]	366	SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
	367	SSL_get_ex_data_X509_STORE_CTX_idx());
	368	conn_rec conn = (conn_rec )SSL_get_app_data(ssl);
	369	- server_rec *s = conn->base_server;
	370	request_rec r = (request_rec )SSL_get_app_data2(ssl);
	371	+ server_rec *s = r ? r->server : conn->base_server;
	372
	373	SSLSrvConfigRec *sc = mySrvConfig(s);
	374	SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
[1102]	375	@@ -1299,7 +1387,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
[816]	376
	377	int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX ctx, conn_rec c)
	378	{
	379	- server_rec *s = c->base_server;
	380	+ SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
	381	+ SSL_get_ex_data_X509_STORE_CTX_idx());
	382	+ request_rec r = (request_rec )SSL_get_app_data2(ssl);
	383	+ server_rec *s = r ? r->server : c->base_server;
	384	SSLSrvConfigRec *sc = mySrvConfig(s);
	385	SSLConnRec *sslconn = myConnConfig(c);
	386	modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
[1102]	387	@@ -1819,3 +1910,141 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A
[683]	388	}
	389	}
	390
	391	+#ifndef OPENSSL_NO_TLSEXT
	392	+/*
	393	+ * This callback function is executed when OpenSSL encounters an extended
	394	+ * client hello with a server name indication extension ("SNI", cf. RFC 4366).
	395	+ */
	396	+int ssl_callback_ServerNameIndication(SSL ssl, int al, modssl_ctx_t *mctx)
	397	+{
	398	+ const char *servername =
	399	+ SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
	400	+
	401	+ if (servername) {
	402	+ conn_rec c = (conn_rec )SSL_get_app_data(ssl);
	403	+ if (c) {
	404	+ if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
	405	+ (void *)servername)) {
	406	+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
	407	+ "SSL virtual host for servername %s found",
	408	+ servername);
	409	+ return SSL_TLSEXT_ERR_OK;
	410	+ }
	411	+ else {
	412	+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
	413	+ "No matching SSL virtual host for servername "
	414	+ "%s found (using default/first virtual host)",
	415	+ servername);
	416	+ return SSL_TLSEXT_ERR_ALERT_WARNING;
	417	+ }
	418	+ }
	419	+ }
	420	+
	421	+ return SSL_TLSEXT_ERR_NOACK;
	422	+}
	423	+
	424	+/*
	425	+ * Find a (name-based) SSL virtual host where either the ServerName
	426	+ * or one of the ServerAliases matches the supplied name (to be used
	427	+ * with ap_vhost_iterate_given_conn())
	428	+ */
	429	+static int ssl_find_vhost(void servername, conn_rec c, server_rec *s)
	430	+{
	431	+ SSLSrvConfigRec *sc;
	432	+ SSL *ssl;
	433	+ BOOL found = FALSE;
	434	+ apr_array_header_t *names;
	435	+ int i;
	436	+
	437	+ /* check ServerName */
	438	+ if (!strcasecmp(servername, s->server_hostname)) {
	439	+ found = TRUE;
	440	+ }
	441	+
	442	+ /*
	443	+ * if not matched yet, check ServerAlias entries
	444	+ * (adapted from vhost.c:matches_aliases())
	445	+ */
	446	+ if (!found) {
	447	+ names = s->names;
	448	+ if (names) {
	449	+ char name = (char )names->elts;
	450	+ for (i = 0; i < names->nelts; ++i) {
	451	+ if (!name[i])
	452	+ continue;
	453	+ if (!strcasecmp(servername, name[i])) {
	454	+ found = TRUE;
	455	+ break;
	456	+ }
	457	+ }
	458	+ }
	459	+ }
	460	+
	461	+ /* if still no match, check ServerAlias entries with wildcards */
	462	+ if (!found) {
	463	+ names = s->wild_names;
	464	+ if (names) {
	465	+ char name = (char )names->elts;
	466	+ for (i = 0; i < names->nelts; ++i) {
	467	+ if (!name[i])
	468	+ continue;
	469	+ if (!ap_strcasecmp_match(servername, name[i])) {
	470	+ found = TRUE;
	471	+ break;
	472	+ }
	473	+ }
	474	+ }
	475	+ }
	476	+
	477	+ /* set SSL_CTX (if matched) */
	478	+ if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
	479	+ (sc = mySrvConfig(s))) {
	480	+ SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
	481	+ /*
	482	+ * SSL_set_SSL_CTX() only deals with the server cert,
	483	+ * so we need to duplicate a few additional settings
	484	+ * from the ctx by hand
	485	+ */
	486	+ SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
	487	+ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) \|\|
	488	+ (SSL_num_renegotiations(ssl) == 0)) {
	489	+ /*
	490	+ * Only initialize the verification settings from the ctx
	491	+ * if they are not yet set, or if we're called when a new
	492	+ * SSL connection is set up (num_renegotiations == 0).
	493	+ * Otherwise, we would possibly reset a per-directory
	494	+ * configuration which was put into effect by ssl_hook_Access.
	495	+ */
	496	+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
	497	+ SSL_CTX_get_verify_callback(ssl->ctx));
	498	+ }
	499	+
	500	+ /*
[816]	501	+ * We also need to make sure that the correct mctx
	502	+ * (accessed through the c->base_server->module_config vector)
	503	+ * is assigned to the connection - the CRL callback e.g.
[683]	504	+ * makes use of it for retrieving its store (mctx->crl).
	505	+ * Since logging in callbacks uses c->base_server in many
	506	+ * cases, it also ensures that these messages are routed
[816]	507	+ * to the proper log.
[683]	508	+ */
	509	+ c->base_server = s;
[816]	510	+
	511	+ /*
	512	+ * There is one special filter callback, which is set
	513	+ * very early depending on the base_server's log level.
	514	+ * If this is not the first vhost we're now selecting
	515	+ * (and the first vhost doesn't use APLOG_DEBUG), then
	516	+ * we need to set that callback here.
	517	+ */
[683]	518	+ if (c->base_server->loglevel >= APLOG_DEBUG) {
	519	+ BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
	520	+ BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
	521	+ }
	522	+
	523	+ return 1;
	524	+ }
	525	+
	526	+ return 0;
	527	+}
	528	+#endif
	529	Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
	530	===================================================================
[1102]	531	--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 763153)
[683]	532	+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy)
[1102]	533	@@ -264,6 +264,12 @@ typedef void (modssl_popfree_fn)(char data);
[683]	534	#define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
	535	#endif
	536
	537	+#ifndef OPENSSL_NO_TLSEXT
	538	+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
	539	+#define OPENSSL_NO_TLSEXT
	540	+#endif
	541	+#endif
	542	+
	543	#endif /* SSL_TOOLKIT_COMPAT_H */
	544
	545	/** @} */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: