Changeset 1102
- Timestamp:
- Apr 25, 2009, 7:10:13 PM (16 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
server/common/patches/httpd-2.2.x-sni.patch
r836 r1102 1 #httpd-2.2.x-sni.patch - server name indication support for Apache 2.22 #(see RFC 4366, "Transport Layer Security (TLS) Extensions")1 httpd-2.2.x-sni.patch - server name indication support for Apache 2.2 2 (see RFC 4366, "Transport Layer Security (TLS) Extensions") 3 3 4 # based on a patch from the EdelKey project 5 # (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) 4 Last updated 2009-04-08 6 5 7 # Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later 8 # to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions 9 # must be configured explicitly for TLS extension support at compile time 10 # ("./config enable-tlsext"). 6 based on a patch from the EdelKey project 7 (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) 8 9 Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later 10 to work properly (ftp://ftp.openssl.org/snapshot/). OpenSSL versions 11 prior to 0.9.8j must be configured explicitly for TLS extension support 12 at compile time ("./config enable-tlsext"). 11 13 12 14 Index: httpd-2.2.x/modules/ssl/ssl_private.h 13 15 =================================================================== 14 --- httpd-2.2.x/modules/ssl/ssl_private.h (revision 663014)16 --- httpd-2.2.x/modules/ssl/ssl_private.h (revision 763153) 15 17 +++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) 16 18 @@ -35,6 +35,7 @@ … … 22 24 #include "util_filter.h" 23 25 #include "util_ebcdic.h" 24 @@ -5 55,6 +556,9 @@ int ssl_callback_NewSessionCach26 @@ -562,6 +563,9 @@ int ssl_callback_NewSessionCacheEntry(SSL 25 27 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); 26 28 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); … … 34 36 Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c 35 37 =================================================================== 36 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 663014)38 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 763153) 37 39 +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) 38 @@ -35 5,6 +355,33 @@ static void ssl_init_server_check(server40 @@ -358,6 +358,33 @@ static void ssl_init_server_check(server_rec *s, 39 41 } 40 42 } … … 70 72 apr_pool_t *p, 71 73 apr_pool_t *ptemp, 72 @@ -6 87,6 +714,9 @@ static void ssl_init_ctx(server_rec *s,74 @@ -690,6 +717,9 @@ static void ssl_init_ctx(server_rec *s, 73 75 if (mctx->pks) { 74 76 /* XXX: proxy support? */ … … 80 82 } 81 83 82 @@ -103 6,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b84 @@ -1039,9 +1069,19 @@ void ssl_init_CheckServers(server_rec *base_server 83 85 klen = strlen(key); 84 86 … … 101 103 ssl_util_vhostid(p, s), 102 104 (s->defn_name ? s->defn_name : "unknown"), 103 @@ -105 5,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b105 @@ -1058,8 +1098,14 @@ void ssl_init_CheckServers(server_rec *base_server 104 106 105 107 if (conflict) { … … 118 120 Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c 119 121 =================================================================== 120 --- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 663014)122 --- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 763153) 121 123 +++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy) 122 @@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool 124 @@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, con 123 125 else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { 124 126 result = ssl_var_lookup_ssl_compress_meth(ssl); … … 135 137 Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c 136 138 =================================================================== 137 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014)139 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 763153) 138 140 +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) 139 141 @@ -31,6 +31,9 @@ … … 157 159 if (!sslconn) { 158 160 return DECLINED; 159 @@ -87,6 +93, 14 @@ int ssl_hook_ReadReq(request_rec *r)161 @@ -87,6 +93,34 @@ int ssl_hook_ReadReq(request_rec *r) 160 162 if (!ssl) { 161 163 return DECLINED; 162 164 } 163 165 +#ifndef OPENSSL_NO_TLSEXT 164 + if (!r->hostname && 165 + (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { 166 + /* Use the SNI extension as the hostname if no Host: header was sent */ 167 + r->hostname = apr_pstrdup(r->pool, servername); 168 + ap_update_vhost_from_headers(r); 166 + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { 167 + char *host, *scope_id; 168 + apr_port_t port; 169 + apr_status_t rv; 170 + 171 + /* 172 + * The SNI extension supplied a hostname. So don't accept requests 173 + * with either no hostname or a different hostname. 174 + */ 175 + if (!r->hostname) { 176 + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, 177 + "Hostname %s provided via SNI, but no hostname" 178 + " provided in HTTP request", servername); 179 + return HTTP_BAD_REQUEST; 180 + } 181 + rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); 182 + if (rv != APR_SUCCESS || scope_id) { 183 + return HTTP_BAD_REQUEST; 184 + } 185 + if (strcmp(host, servername)) { 186 + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, 187 + "Hostname %s provided via SNI and hostname %s provided" 188 + " via HTTP are different", servername, host); 189 + return HTTP_BAD_REQUEST; 190 + } 169 191 + } 170 192 +#endif … … 172 194 173 195 /* 174 @@ -252,7 +2 66,7 @@ int ssl_hook_Access(request_rec *r)196 @@ -252,7 +286,7 @@ int ssl_hook_Access(request_rec *r) 175 197 * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no 176 198 * implicit optimizations. … … 181 203 182 204 if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { 183 @@ -267,7 + 281,10 @@ int ssl_hook_Access(request_rec *r)205 @@ -267,7 +301,10 @@ int ssl_hook_Access(request_rec *r) 184 206 } 185 207 186 208 /* configure new state */ 187 209 - if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) { 188 + if ((dc->szCipherSuite &&189 + !modssl_set_cipher_list(ssl, dc->szCipherSuite)) ||190 + (sc->server->auth.cipher_suite &&191 + !modssl_set_cipher_list(ssl, sc->server->auth.cipher_suite))) {210 + if ((dc->szCipherSuite || sc->server->auth.cipher_suite) && 211 + !modssl_set_cipher_list(ssl, dc->szCipherSuite ? 212 + dc->szCipherSuite : 213 + sc->server->auth.cipher_suite)) { 192 214 ap_log_error(APLOG_MARK, APLOG_WARNING, 0, 193 215 r->server, 194 216 "Unable to reconfigure (per-directory) " 195 @@ -334,8 +3 51,13 @@ int ssl_hook_Access(request_rec *r)217 @@ -334,8 +371,13 @@ int ssl_hook_Access(request_rec *r) 196 218 sk_SSL_CIPHER_free(cipher_list_old); 197 219 } … … 208 230 "Reconfigured cipher suite will force renegotiation"); 209 231 } 210 @@ -353,1 4 +375,16@@ int ssl_hook_Access(request_rec *r)232 @@ -353,19 +395,15 @@ int ssl_hook_Access(request_rec *r) 211 233 * currently active/remembered verify depth (because this means more 212 234 * restriction on the certificate chain). 213 235 */ 214 236 - if (dc->nVerifyDepth != UNSET) { 215 + if ((dc->nVerifyDepth != UNSET) || 216 + (sc->server->auth.verify_depth != 1)) { 217 /* XXX: doesnt look like sslconn->verify_depth is actually used */ 218 if (!(n = sslconn->verify_depth)) { 219 sslconn->verify_depth = n = sc->server->auth.verify_depth; 220 } 221 222 /* determine whether a renegotiation has to be forced */ 237 - /* XXX: doesnt look like sslconn->verify_depth is actually used */ 238 - if (!(n = sslconn->verify_depth)) { 239 - sslconn->verify_depth = n = sc->server->auth.verify_depth; 240 - } 241 - 242 - /* determine whether a renegotiation has to be forced */ 223 243 - if (dc->nVerifyDepth < n) { 224 + if ((dc->nVerifyDepth < n) || 225 + (sc->server->auth.verify_depth < n)) { 226 renegotiate = TRUE; 227 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, 228 "Reduced client verification depth will force " 229 @@ -382,18 +406,22 @@ int ssl_hook_Access(request_rec *r) 244 - renegotiate = TRUE; 245 - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, 246 - "Reduced client verification depth will force " 247 - "renegotiation"); 248 - } 249 + n = sslconn->verify_depth; 250 + sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ? 251 + dc->nVerifyDepth : sc->server->auth.verify_depth; 252 + if ((sslconn->verify_depth < n) || 253 + ((n == 0) && (sc->server->auth.verify_depth == 0))) { 254 + renegotiate = TRUE; 255 + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, 256 + "Reduced client verification depth will force " 257 + "renegotiation"); 258 } 259 260 /* 261 @@ -382,18 +420,22 @@ int ssl_hook_Access(request_rec *r) 230 262 * verification but at least skip the I/O-intensive renegotation 231 263 * handshake. … … 253 285 verify |= SSL_VERIFY_PEER; 254 286 } 255 @@ -491,6 +5 19,40 @@ int ssl_hook_Access(request_rec *r)287 @@ -491,6 +533,40 @@ int ssl_hook_Access(request_rec *r) 256 288 "Changed client verification locations will force " 257 289 "renegotiation"); … … 294 326 295 327 /* If a renegotiation is now required for this location, and the 296 @@ -6 66,8 +728,10 @@ int ssl_hook_Access(request_rec *r)328 @@ -675,8 +751,10 @@ int ssl_hook_Access(request_rec *r) 297 329 /* 298 330 * Finally check for acceptable renegotiation results … … 307 339 if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { 308 340 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, 309 @@ - 997,6 +1061,9 @@ int ssl_hook_Fixup(request_rec *r)341 @@ -1006,6 +1084,9 @@ int ssl_hook_Fixup(request_rec *r) 310 342 SSLDirConfigRec *dc = myDirConfig(r); 311 343 apr_table_t *env = r->subprocess_env; … … 317 349 SSL *ssl; 318 350 int i; 319 @@ -10 18,6 +1085,13 @@ int ssl_hook_Fixup(request_rec *r)351 @@ -1027,6 +1108,13 @@ int ssl_hook_Fixup(request_rec *r) 320 352 /* the always present HTTPS (=HTTP over SSL) flag! */ 321 353 apr_table_setn(env, "HTTPS", "on"); … … 331 363 if (dc->nOptions & SSL_OPT_STDENVVARS) { 332 364 for (i = 0; ssl_hook_Fixup_vars[i]; i++) { 333 @@ -11 66,8 +1240,8 @@ int ssl_callback_SSLVerify(int ok, X509_365 @@ -1175,8 +1263,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX 334 366 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, 335 367 SSL_get_ex_data_X509_STORE_CTX_idx()); … … 341 373 SSLSrvConfigRec *sc = mySrvConfig(s); 342 374 SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL; 343 @@ -129 0,7 +1364,10 @@ int ssl_callback_SSLVerify(int ok, X509_375 @@ -1299,7 +1387,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX 344 376 345 377 int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) … … 353 385 SSLConnRec *sslconn = myConnConfig(c); 354 386 modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); 355 @@ -181 0,3 +1887,141 @@ void ssl_callback_LogTracingState(MODSSL387 @@ -1819,3 +1910,141 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A 356 388 } 357 389 } … … 497 529 Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h 498 530 =================================================================== 499 --- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 663014)531 --- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 763153) 500 532 +++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy) 501 @@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char * 533 @@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *data); 502 534 #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP 503 535 #endif
Note: See TracChangeset
for help on using the changeset viewer.