Ignore:
Timestamp:
Apr 25, 2009, 7:10:13 PM (14 years ago)
Author:
mitchb
Message:
Update to current version of the 2.2.x SNI patch
File:
1 edited

Legend:

Unmodified
Added
Removed
  • server/common/patches/httpd-2.2.x-sni.patch

    r836 r1102  
    1 # httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
    2 # (see RFC 4366, "Transport Layer Security (TLS) Extensions")
     1httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
     2(see RFC 4366, "Transport Layer Security (TLS) Extensions")
    33
    4 # based on a patch from the EdelKey project
    5 # (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
     4Last updated 2009-04-08
    65
    7 # Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
    8 # to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions
    9 # must be configured explicitly for TLS extension support at compile time
    10 # ("./config enable-tlsext").
     6based on a patch from the EdelKey project
     7(http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
     8
     9Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
     10to work properly (ftp://ftp.openssl.org/snapshot/). OpenSSL versions
     11prior to 0.9.8j must be configured explicitly for TLS extension support
     12at compile time ("./config enable-tlsext").
    1113
    1214Index: httpd-2.2.x/modules/ssl/ssl_private.h
    1315===================================================================
    14 --- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 663014)
     16--- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 763153)
    1517+++ httpd-2.2.x/modules/ssl/ssl_private.h       (working copy)
    1618@@ -35,6 +35,7 @@
     
    2224 #include "util_filter.h"
    2325 #include "util_ebcdic.h"
    24 @@ -555,6 +556,9 @@ int          ssl_callback_NewSessionCach
     26@@ -562,6 +563,9 @@ int          ssl_callback_NewSessionCacheEntry(SSL
    2527 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
    2628 void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
     
    3436Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
    3537===================================================================
    36 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 663014)
     38--- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 763153)
    3739+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c   (working copy)
    38 @@ -355,6 +355,33 @@ static void ssl_init_server_check(server
     40@@ -358,6 +358,33 @@ static void ssl_init_server_check(server_rec *s,
    3941     }
    4042 }
     
    7072                                   apr_pool_t *p,
    7173                                   apr_pool_t *ptemp,
    72 @@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s,
     74@@ -690,6 +717,9 @@ static void ssl_init_ctx(server_rec *s,
    7375     if (mctx->pks) {
    7476         /* XXX: proxy support? */
     
    8082 }
    8183 
    82 @@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b
     84@@ -1039,9 +1069,19 @@ void ssl_init_CheckServers(server_rec *base_server
    8385         klen = strlen(key);
    8486 
     
    101103                          ssl_util_vhostid(p, s),
    102104                          (s->defn_name ? s->defn_name : "unknown"),
    103 @@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b
     105@@ -1058,8 +1098,14 @@ void ssl_init_CheckServers(server_rec *base_server
    104106 
    105107     if (conflict) {
     
    118120Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c
    119121===================================================================
    120 --- httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (revision 663014)
     122--- httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (revision 763153)
    121123+++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (working copy)
    122 @@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool
     124@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, con
    123125     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
    124126         result = ssl_var_lookup_ssl_compress_meth(ssl);
     
    135137Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
    136138===================================================================
    137 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014)
     139--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 763153)
    138140+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
    139141@@ -31,6 +31,9 @@
     
    157159     if (!sslconn) {
    158160         return DECLINED;
    159 @@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r)
     161@@ -87,6 +93,34 @@ int ssl_hook_ReadReq(request_rec *r)
    160162     if (!ssl) {
    161163         return DECLINED;
    162164     }
    163165+#ifndef OPENSSL_NO_TLSEXT
    164 +    if (!r->hostname &&
    165 +        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
    166 +        /* Use the SNI extension as the hostname if no Host: header was sent */
    167 +        r->hostname = apr_pstrdup(r->pool, servername);
    168 +        ap_update_vhost_from_headers(r);
     166+    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
     167+        char *host, *scope_id;
     168+        apr_port_t port;
     169+        apr_status_t rv;
     170+
     171+        /*
     172+         * The SNI extension supplied a hostname. So don't accept requests
     173+         * with either no hostname or a different hostname.
     174+         */
     175+        if (!r->hostname) {
     176+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
     177+                        "Hostname %s provided via SNI, but no hostname"
     178+                        " provided in HTTP request", servername);
     179+            return HTTP_BAD_REQUEST;
     180+        }
     181+        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
     182+        if (rv != APR_SUCCESS || scope_id) {
     183+            return HTTP_BAD_REQUEST;
     184+        }
     185+        if (strcmp(host, servername)) {
     186+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
     187+                        "Hostname %s provided via SNI and hostname %s provided"
     188+                        " via HTTP are different", servername, host);
     189+            return HTTP_BAD_REQUEST;
     190+        }
    169191+    }
    170192+#endif
     
    172194 
    173195     /*
    174 @@ -252,7 +266,7 @@ int ssl_hook_Access(request_rec *r)
     196@@ -252,7 +286,7 @@ int ssl_hook_Access(request_rec *r)
    175197      *   has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
    176198      *   implicit optimizations.
     
    181203 
    182204         if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
    183 @@ -267,7 +281,10 @@ int ssl_hook_Access(request_rec *r)
     205@@ -267,7 +301,10 @@ int ssl_hook_Access(request_rec *r)
    184206         }
    185207 
    186208         /* configure new state */
    187209-        if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
    188 +        if ((dc->szCipherSuite &&
    189 +             !modssl_set_cipher_list(ssl, dc->szCipherSuite)) ||
    190 +            (sc->server->auth.cipher_suite &&
    191 +             !modssl_set_cipher_list(ssl, sc->server->auth.cipher_suite))) {
     210+        if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
     211+            !modssl_set_cipher_list(ssl, dc->szCipherSuite ?
     212+                                         dc->szCipherSuite :
     213+                                         sc->server->auth.cipher_suite)) {
    192214             ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
    193215                          r->server,
    194216                          "Unable to reconfigure (per-directory) "
    195 @@ -334,8 +351,13 @@ int ssl_hook_Access(request_rec *r)
     217@@ -334,8 +371,13 @@ int ssl_hook_Access(request_rec *r)
    196218             sk_SSL_CIPHER_free(cipher_list_old);
    197219         }
     
    208230                          "Reconfigured cipher suite will force renegotiation");
    209231         }
    210 @@ -353,14 +375,16 @@ int ssl_hook_Access(request_rec *r)
     232@@ -353,19 +395,15 @@ int ssl_hook_Access(request_rec *r)
    211233      * currently active/remembered verify depth (because this means more
    212234      * restriction on the certificate chain).
    213235      */
    214236-    if (dc->nVerifyDepth != UNSET) {
    215 +    if ((dc->nVerifyDepth != UNSET) ||
    216 +        (sc->server->auth.verify_depth != 1)) {
    217          /* XXX: doesnt look like sslconn->verify_depth is actually used */
    218          if (!(n = sslconn->verify_depth)) {
    219              sslconn->verify_depth = n = sc->server->auth.verify_depth;
    220          }
    221  
    222          /* determine whether a renegotiation has to be forced */
     237-        /* XXX: doesnt look like sslconn->verify_depth is actually used */
     238-        if (!(n = sslconn->verify_depth)) {
     239-            sslconn->verify_depth = n = sc->server->auth.verify_depth;
     240-        }
     241-
     242-        /* determine whether a renegotiation has to be forced */
    223243-        if (dc->nVerifyDepth < n) {
    224 +        if ((dc->nVerifyDepth < n) ||
    225 +            (sc->server->auth.verify_depth < n)) {
    226              renegotiate = TRUE;
    227              ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
    228                           "Reduced client verification depth will force "
    229 @@ -382,18 +406,22 @@ int ssl_hook_Access(request_rec *r)
     244-            renegotiate = TRUE;
     245-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
     246-                         "Reduced client verification depth will force "
     247-                         "renegotiation");
     248-        }
     249+    n = sslconn->verify_depth;
     250+    sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
     251+                            dc->nVerifyDepth : sc->server->auth.verify_depth;
     252+    if ((sslconn->verify_depth < n) ||
     253+        ((n == 0) && (sc->server->auth.verify_depth == 0))) {
     254+        renegotiate = TRUE;
     255+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
     256+                     "Reduced client verification depth will force "
     257+                     "renegotiation");
     258     }
     259 
     260     /*
     261@@ -382,18 +420,22 @@ int ssl_hook_Access(request_rec *r)
    230262      * verification but at least skip the I/O-intensive renegotation
    231263      * handshake.
     
    253285             verify |= SSL_VERIFY_PEER;
    254286         }
    255 @@ -491,6 +519,40 @@ int ssl_hook_Access(request_rec *r)
     287@@ -491,6 +533,40 @@ int ssl_hook_Access(request_rec *r)
    256288                      "Changed client verification locations will force "
    257289                      "renegotiation");
     
    294326 
    295327     /* If a renegotiation is now required for this location, and the
    296 @@ -666,8 +728,10 @@ int ssl_hook_Access(request_rec *r)
     328@@ -675,8 +751,10 @@ int ssl_hook_Access(request_rec *r)
    297329         /*
    298330          * Finally check for acceptable renegotiation results
     
    307339             if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
    308340                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
    309 @@ -997,6 +1061,9 @@ int ssl_hook_Fixup(request_rec *r)
     341@@ -1006,6 +1084,9 @@ int ssl_hook_Fixup(request_rec *r)
    310342     SSLDirConfigRec *dc = myDirConfig(r);
    311343     apr_table_t *env = r->subprocess_env;
     
    317349     SSL *ssl;
    318350     int i;
    319 @@ -1018,6 +1085,13 @@ int ssl_hook_Fixup(request_rec *r)
     351@@ -1027,6 +1108,13 @@ int ssl_hook_Fixup(request_rec *r)
    320352     /* the always present HTTPS (=HTTP over SSL) flag! */
    321353     apr_table_setn(env, "HTTPS", "on");
     
    331363     if (dc->nOptions & SSL_OPT_STDENVVARS) {
    332364         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
    333 @@ -1166,8 +1240,8 @@ int ssl_callback_SSLVerify(int ok, X509_
     365@@ -1175,8 +1263,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
    334366     SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
    335367                                           SSL_get_ex_data_X509_STORE_CTX_idx());
     
    341373     SSLSrvConfigRec *sc = mySrvConfig(s);
    342374     SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
    343 @@ -1290,7 +1364,10 @@ int ssl_callback_SSLVerify(int ok, X509_
     375@@ -1299,7 +1387,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
    344376 
    345377 int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
     
    353385     SSLConnRec *sslconn = myConnConfig(c);
    354386     modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
    355 @@ -1810,3 +1887,141 @@ void ssl_callback_LogTracingState(MODSSL
     387@@ -1819,3 +1910,141 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A
    356388     }
    357389 }
     
    497529Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
    498530===================================================================
    499 --- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (revision 663014)
     531--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (revision 763153)
    500532+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (working copy)
    501 @@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *
     533@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *data);
    502534 #define SSL_SESS_CACHE_NO_INTERNAL  SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
    503535 #endif
Note: See TracChangeset for help on using the changeset viewer.