Changeset 1102

Timestamp:

Apr 25, 2009, 7:10:13 PM (15 years ago)

Author:

mitchb

Message:

Update to current version of the 2.2.x SNI patch

File:

• server/common/patches/httpd-2.2.x-sni.patch (modified) (20 diffs)

server/common/patches/httpd-2.2.x-sni.patch

@@ -1 @@
-# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
-# (see RFC 4366, "Transport Layer Security (TLS) Extensions")
+httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
+(see RFC 4366, "Transport Layer Security (TLS) Extensions")
 
-# based on a patch from the EdelKey project
-# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
+Last updated 2009-04-08
 
-# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
-# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions
-# must be configured explicitly for TLS extension support at compile time
-# ("./config enable-tlsext").
+based on a patch from the EdelKey project
+(http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
+
+Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
+to work properly (ftp://ftp.openssl.org/snapshot/). OpenSSL versions
+prior to 0.9.8j must be configured explicitly for TLS extension support
+at compile time ("./config enable-tlsext").
 
 Index: httpd-2.2.x/modules/ssl/ssl_private.h
 ===================================================================
---- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 663014)
+--- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 763153)
 +++ httpd-2.2.x/modules/ssl/ssl_private.h       (working copy)
 @@ -35,6 +35,7 @@
@@ -22 +24 @@
  #include "util_filter.h"
  #include "util_ebcdic.h"
-@@ -555,6 +556,9 @@ int          ssl_callback_NewSessionCach
+@@ -562,6 +563,9 @@ int          ssl_callback_NewSessionCacheEntry(SSL
  SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
  void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
@@ -34 +36 @@
 Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
 ===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 663014)
+--- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 763153)
 +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c   (working copy)
-@@ -355,6 +355,33 @@ static void ssl_init_server_check(server
+@@ -358,6 +358,33 @@ static void ssl_init_server_check(server_rec *s,
      }
  }
@@ -70 +72 @@
                                    apr_pool_t *p,
                                    apr_pool_t *ptemp,
-@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s,
+@@ -690,6 +717,9 @@ static void ssl_init_ctx(server_rec *s,
      if (mctx->pks) {
          /* XXX: proxy support? */
@@ -80 +82 @@
  }
  
-@@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b
+@@ -1039,9 +1069,19 @@ void ssl_init_CheckServers(server_rec *base_server
          klen = strlen(key);
  
@@ -101 +103 @@
                           ssl_util_vhostid(p, s),
                           (s->defn_name ? s->defn_name : "unknown"),
-@@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b
+@@ -1058,8 +1098,14 @@ void ssl_init_CheckServers(server_rec *base_server
  
      if (conflict) {
@@ -118 +120 @@
 Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c
 ===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (revision 663014)
+--- httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (revision 763153)
 +++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (working copy)
-@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool
+@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, con
      else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
          result = ssl_var_lookup_ssl_compress_meth(ssl);
@@ -135 +137 @@
 Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
 ===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014)
+--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 763153)
 +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
 @@ -31,6 +31,9 @@
@@ -157 +159 @@
      if (!sslconn) {
          return DECLINED;
-@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r)
+@@ -87,6 +93,34 @@ int ssl_hook_ReadReq(request_rec *r)
      if (!ssl) {
          return DECLINED;
      }
 +#ifndef OPENSSL_NO_TLSEXT
-+    if (!r->hostname &&
-+        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
-+        /* Use the SNI extension as the hostname if no Host: header was sent */
-+        r->hostname = apr_pstrdup(r->pool, servername);
-+        ap_update_vhost_from_headers(r);
++    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
++        char *host, *scope_id;
++        apr_port_t port;
++        apr_status_t rv;
++
++        /*
++         * The SNI extension supplied a hostname. So don't accept requests
++         * with either no hostname or a different hostname.
++         */
++        if (!r->hostname) {
++            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
++                        "Hostname %s provided via SNI, but no hostname"
++                        " provided in HTTP request", servername);
++            return HTTP_BAD_REQUEST;
++        }
++        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
++        if (rv != APR_SUCCESS || scope_id) {
++            return HTTP_BAD_REQUEST;
++        }
++        if (strcmp(host, servername)) {
++            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
++                        "Hostname %s provided via SNI and hostname %s provided"
++                        " via HTTP are different", servername, host);
++            return HTTP_BAD_REQUEST;
++        }
 +    }
 +#endif
@@ -172 +194 @@
  
      /*
-@@ -252,7 +266,7 @@ int ssl_hook_Access(request_rec *r)
+@@ -252,7 +286,7 @@ int ssl_hook_Access(request_rec *r)
       *   has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
       *   implicit optimizations.
@@ -181 +203 @@
  
          if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
-@@ -267,7 +281,10 @@ int ssl_hook_Access(request_rec *r)
+@@ -267,7 +301,10 @@ int ssl_hook_Access(request_rec *r)
          }
  
          /* configure new state */
 -        if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
-+        if ((dc->szCipherSuite &&
-+             !modssl_set_cipher_list(ssl, dc->szCipherSuite)) ||
-+            (sc->server->auth.cipher_suite &&
-+             !modssl_set_cipher_list(ssl, sc->server->auth.cipher_suite))) {
++        if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
++            !modssl_set_cipher_list(ssl, dc->szCipherSuite ?
++                                         dc->szCipherSuite :
++                                         sc->server->auth.cipher_suite)) {
              ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
                           r->server,
                           "Unable to reconfigure (per-directory) "
-@@ -334,8 +351,13 @@ int ssl_hook_Access(request_rec *r)
+@@ -334,8 +371,13 @@ int ssl_hook_Access(request_rec *r)
              sk_SSL_CIPHER_free(cipher_list_old);
          }
@@ -208 +230 @@
                           "Reconfigured cipher suite will force renegotiation");
          }
-@@ -353,14 +375,16 @@ int ssl_hook_Access(request_rec *r)
+@@ -353,19 +395,15 @@ int ssl_hook_Access(request_rec *r)
       * currently active/remembered verify depth (because this means more
       * restriction on the certificate chain).
       */
 -    if (dc->nVerifyDepth != UNSET) {
-+    if ((dc->nVerifyDepth != UNSET) ||
-+        (sc->server->auth.verify_depth != 1)) {
-         /* XXX: doesnt look like sslconn->verify_depth is actually used */
-         if (!(n = sslconn->verify_depth)) {
-             sslconn->verify_depth = n = sc->server->auth.verify_depth;
-         }
- 
-         /* determine whether a renegotiation has to be forced */
+-        /* XXX: doesnt look like sslconn->verify_depth is actually used */
+-        if (!(n = sslconn->verify_depth)) {
+-            sslconn->verify_depth = n = sc->server->auth.verify_depth;
+-        }
+-
+-        /* determine whether a renegotiation has to be forced */
 -        if (dc->nVerifyDepth < n) {
-+        if ((dc->nVerifyDepth < n) ||
-+            (sc->server->auth.verify_depth < n)) {
-             renegotiate = TRUE;
-             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
-                          "Reduced client verification depth will force "
-@@ -382,18 +406,22 @@ int ssl_hook_Access(request_rec *r)
+-            renegotiate = TRUE;
+-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+-                         "Reduced client verification depth will force "
+-                         "renegotiation");
+-        }
++    n = sslconn->verify_depth;
++    sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
++                            dc->nVerifyDepth : sc->server->auth.verify_depth;
++    if ((sslconn->verify_depth < n) ||
++        ((n == 0) && (sc->server->auth.verify_depth == 0))) {
++        renegotiate = TRUE;
++        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
++                     "Reduced client verification depth will force "
++                     "renegotiation");
+     }
+ 
+     /*
+@@ -382,18 +420,22 @@ int ssl_hook_Access(request_rec *r)
       * verification but at least skip the I/O-intensive renegotation
       * handshake.
@@ -253 +285 @@
              verify |= SSL_VERIFY_PEER;
          }
-@@ -491,6 +519,40 @@ int ssl_hook_Access(request_rec *r)
+@@ -491,6 +533,40 @@ int ssl_hook_Access(request_rec *r)
                       "Changed client verification locations will force "
                       "renegotiation");
@@ -294 +326 @@
  
      /* If a renegotiation is now required for this location, and the
-@@ -666,8 +728,10 @@ int ssl_hook_Access(request_rec *r)
+@@ -675,8 +751,10 @@ int ssl_hook_Access(request_rec *r)
          /*
           * Finally check for acceptable renegotiation results
@@ -307 +339 @@
              if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
                  ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-@@ -997,6 +1061,9 @@ int ssl_hook_Fixup(request_rec *r)
+@@ -1006,6 +1084,9 @@ int ssl_hook_Fixup(request_rec *r)
      SSLDirConfigRec *dc = myDirConfig(r);
      apr_table_t *env = r->subprocess_env;
@@ -317 +349 @@
      SSL *ssl;
      int i;
-@@ -1018,6 +1085,13 @@ int ssl_hook_Fixup(request_rec *r)
+@@ -1027,6 +1108,13 @@ int ssl_hook_Fixup(request_rec *r)
      /* the always present HTTPS (=HTTP over SSL) flag! */
      apr_table_setn(env, "HTTPS", "on");
@@ -331 +363 @@
      if (dc->nOptions & SSL_OPT_STDENVVARS) {
          for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
-@@ -1166,8 +1240,8 @@ int ssl_callback_SSLVerify(int ok, X509_
+@@ -1175,8 +1263,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
      SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
                                            SSL_get_ex_data_X509_STORE_CTX_idx());
@@ -341 +373 @@
      SSLSrvConfigRec *sc = mySrvConfig(s);
      SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
-@@ -1290,7 +1364,10 @@ int ssl_callback_SSLVerify(int ok, X509_
+@@ -1299,7 +1387,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
  
  int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
@@ -353 +385 @@
      SSLConnRec *sslconn = myConnConfig(c);
      modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
-@@ -1810,3 +1887,141 @@ void ssl_callback_LogTracingState(MODSSL
+@@ -1819,3 +1910,141 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A
      }
  }
@@ -497 +529 @@
 Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
 ===================================================================
---- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (revision 663014)
+--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (revision 763153)
 +++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (working copy)
-@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *
+@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *data);
  #define SSL_SESS_CACHE_NO_INTERNAL  SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
  #endif