Changeset 1115


Ignore:
Timestamp:
May 6, 2009, 4:19:41 AM (13 years ago)
Author:
mitchb
Message:
In this week's episode of "As the Server Name Indicates..."
(Scripts's favorite night-time soap opera)
Update SNI to 4/27/2009 sni.velox.ch patch under consideration
for inclusion in upstream Apache 2.2.12
File:
1 edited

Legend:

Unmodified
Added
Removed
  • server/common/patches/httpd-2.2.x-sni.patch

    r1102 r1115  
    1 httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
    2 (see RFC 4366, "Transport Layer Security (TLS) Extensions")
     1http://sni.velox.ch/httpd-2.2.11-sni.20090427.patch - server name indication
     2support for mod_ssl / Apache 2.2.11 (RFC 4366, section 3.1)
    33
    4 Last updated 2009-04-08
     4Last updated 2009-04-27, by Kaspar Brand.
     5Provided AS IS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND.
    56
    6 based on a patch from the EdelKey project
    7 (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
     7Based on a patch from the EdelKey project (http://www.edelweb.fr/EdelKey/files/),
     8includes further improvements by Ruediger Pluem (from httpd trunk).
    89
    910Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
     
    1213at compile time ("./config enable-tlsext").
    1314
    14 Index: httpd-2.2.x/modules/ssl/ssl_private.h
     15Index: httpd-2.2.11/modules/ssl/ssl_private.h
    1516===================================================================
    16 --- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 763153)
    17 +++ httpd-2.2.x/modules/ssl/ssl_private.h       (working copy)
     17--- httpd-2.2.11/modules/ssl/ssl_private.h      (revision 768863)
     18+++ httpd-2.2.11/modules/ssl/ssl_private.h      (working copy)
    1819@@ -35,6 +35,7 @@
    1920 #include "http_connection.h"
     
    2425 #include "util_filter.h"
    2526 #include "util_ebcdic.h"
    26 @@ -562,6 +563,9 @@ int          ssl_callback_NewSessionCacheEntry(SSL
     27@@ -129,6 +130,9 @@ ap_set_module_config(c->conn_config, &ssl_module,
     28 #define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config,  &ssl_module)
     29 #define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module)
     30 #define myModConfig(srv) (mySrvConfig((srv)))->mc
     31+#define mySrvFromConn(c) (myConnConfig(c))->server
     32+#define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c))
     33+#define myModConfigFromConn(c) myModConfig(mySrvFromConn(c))
     34 
     35 #define myCtxVarSet(mc,num,val)  mc->rCtx.pV##num = val
     36 #define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num)
     37@@ -347,6 +351,7 @@ typedef struct {
     38     int is_proxy;
     39     int disabled;
     40     int non_ssl_request;
     41+    server_rec *server;
     42 } SSLConnRec;
     43 
     44 typedef struct {
     45@@ -449,6 +454,9 @@ struct SSLSrvConfigRec {
     46     BOOL             cipher_server_pref;
     47     modssl_ctx_t    *server;
     48     modssl_ctx_t    *proxy;
     49+#ifndef OPENSSL_NO_TLSEXT
     50+    ssl_enabled_t    strict_sni_vhost_check;
     51+#endif
     52 };
     53 
     54 /**
     55@@ -513,6 +521,9 @@ const char  *ssl_cmd_SSLOptions(cmd_parms *, void
     56 const char  *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
     57 const char  *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
     58 const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
     59+#ifndef OPENSSL_NO_TLSEXT
     60+const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
     61+#endif
     62 
     63 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
     64 const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
     65@@ -555,6 +566,9 @@ int          ssl_callback_NewSessionCacheEntry(SSL
    2766 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
    2867 void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
     
    3473 /**  Session Cache Support  */
    3574 void         ssl_scache_init(server_rec *, apr_pool_t *);
    36 Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
     75Index: httpd-2.2.11/modules/ssl/ssl_engine_init.c
    3776===================================================================
    38 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 763153)
    39 +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c   (working copy)
     77--- httpd-2.2.11/modules/ssl/ssl_engine_init.c  (revision 768863)
     78+++ httpd-2.2.11/modules/ssl/ssl_engine_init.c  (working copy)
    4079@@ -358,6 +358,33 @@ static void ssl_init_server_check(server_rec *s,
    4180     }
     
    118157 }
    119158 
    120 Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c
     159Index: httpd-2.2.11/modules/ssl/ssl_engine_config.c
    121160===================================================================
    122 --- httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (revision 763153)
    123 +++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (working copy)
     161--- httpd-2.2.11/modules/ssl/ssl_engine_config.c        (revision 768863)
     162+++ httpd-2.2.11/modules/ssl/ssl_engine_config.c        (working copy)
     163@@ -169,6 +169,9 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_
     164     sc->vhost_id_len           = 0;     /* set during module init */
     165     sc->session_cache_timeout  = UNSET;
     166     sc->cipher_server_pref     = UNSET;
     167+#ifndef OPENSSL_NO_TLSEXT
     168+    sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
     169+#endif
     170 
     171     modssl_ctx_init_proxy(sc, p);
     172 
     173@@ -257,6 +260,9 @@ void *ssl_config_server_merge(apr_pool_t *p, void
     174     cfgMergeBool(proxy_enabled);
     175     cfgMergeInt(session_cache_timeout);
     176     cfgMergeBool(cipher_server_pref);
     177+#ifndef OPENSSL_NO_TLSEXT
     178+    cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
     179+#endif
     180 
     181     modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy);
     182 
     183@@ -1411,6 +1417,17 @@ const char *ssl_cmd_SSLUserName(cmd_parms *cmd, vo
     184     return NULL;
     185 }
     186 
     187+#ifndef OPENSSL_NO_TLSEXT
     188+const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
     189+{
     190+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
     191+
     192+    sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
     193+
     194+    return NULL;
     195+}
     196+#endif
     197+
     198 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
     199 {
     200     if (!ap_exists_config_define("DUMP_CERTS")) {
     201Index: httpd-2.2.11/modules/ssl/ssl_engine_io.c
     202===================================================================
     203--- httpd-2.2.11/modules/ssl/ssl_engine_io.c    (revision 768863)
     204+++ httpd-2.2.11/modules/ssl/ssl_engine_io.c    (working copy)
     205@@ -695,7 +695,7 @@ static apr_status_t ssl_io_input_read(bio_filter_i
     206                  */
     207                 ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c,
     208                               "SSL library error %d reading data", ssl_err);
     209-                ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
     210+                ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c));
     211 
     212             }
     213             if (inctx->rc == APR_SUCCESS) {
     214@@ -799,7 +799,7 @@ static apr_status_t ssl_filter_write(ap_filter_t *
     215              */
     216             ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c,
     217                           "SSL library error %d writing data", ssl_err);
     218-            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
     219+            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c));
     220         }
     221         if (outctx->rc == APR_SUCCESS) {
     222             outctx->rc = APR_EGENERAL;
     223@@ -861,7 +861,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_
     224             ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c,
     225                          "SSL handshake failed: HTTP spoken on HTTPS port; "
     226                          "trying to send HTML error page");
     227-            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, f->c->base_server);
     228+            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server);
     229 
     230             sslconn->non_ssl_request = 1;
     231             ssl_io_filter_disable(sslconn, f);
     232@@ -971,11 +971,11 @@ static apr_status_t ssl_filter_io_shutdown(ssl_fil
     233     SSL_smart_shutdown(ssl);
     234 
     235     /* and finally log the fact that we've closed the connection */
     236-    if (c->base_server->loglevel >= APLOG_INFO) {
     237+    if (mySrvFromConn(c)->loglevel >= APLOG_INFO) {
     238         ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
     239                       "Connection closed to child %ld with %s shutdown "
     240                       "(server %s)",
     241-                      c->id, type, ssl_util_vhostid(c->pool, c->base_server));
     242+                      c->id, type, ssl_util_vhostid(c->pool, mySrvFromConn(c)));
     243     }
     244 
     245     /* deallocate the SSL connection */
     246@@ -1021,21 +1021,23 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t
     247 {
     248     conn_rec *c         = (conn_rec *)SSL_get_app_data(filter_ctx->pssl);
     249     SSLConnRec *sslconn = myConnConfig(c);
     250-    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
     251+    SSLSrvConfigRec *sc;
     252     X509 *cert;
     253     int n;
     254     int ssl_err;
     255     long verify_result;
     256+    server_rec *server;
     257 
     258     if (SSL_is_init_finished(filter_ctx->pssl)) {
     259         return APR_SUCCESS;
     260     }
     261 
     262+    server = mySrvFromConn(c);
     263     if (sslconn->is_proxy) {
     264         if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
     265             ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
     266                           "SSL Proxy connect failed");
     267-            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
     268+            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
     269             /* ensure that the SSL structures etc are freed, etc: */
     270             ssl_filter_io_shutdown(filter_ctx, c, 1);
     271             return HTTP_BAD_GATEWAY;
     272@@ -1092,8 +1094,8 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t
     273             ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c,
     274                           "SSL library error %d in handshake "
     275                           "(server %s)", ssl_err,
     276-                          ssl_util_vhostid(c->pool, c->base_server));
     277-            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
     278+                          ssl_util_vhostid(c->pool, server));
     279+            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
     280 
     281         }
     282         if (inctx->rc == APR_SUCCESS) {
     283@@ -1102,6 +1104,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t
     284 
     285         return ssl_filter_io_shutdown(filter_ctx, c, 1);
     286     }
     287+    sc = mySrvConfig(sslconn->server);
     288 
     289     /*
     290      * Check for failed client authentication
     291@@ -1127,7 +1130,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t
     292                           "accepting certificate based on "
     293                           "\"SSLVerifyClient optional_no_ca\" "
     294                           "configuration");
     295-            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
     296+            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
     297         }
     298         else {
     299             const char *error = sslconn->verify_error ?
     300@@ -1137,7 +1140,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t
     301             ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
     302                          "SSL client authentication failed: %s",
     303                          error ? error : "unknown");
     304-            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
     305+            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
     306 
     307             return ssl_filter_io_shutdown(filter_ctx, c, 1);
     308         }
     309@@ -1809,7 +1812,7 @@ long ssl_io_data_cb(BIO *bio, int cmd,
     310         return rc;
     311     if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL)
     312         return rc;
     313-    s = c->base_server;
     314+    s = mySrvFromConn(c);
     315 
     316     if (   cmd == (BIO_CB_WRITE|BIO_CB_RETURN)
     317         || cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
     318Index: httpd-2.2.11/modules/ssl/ssl_engine_vars.c
     319===================================================================
     320--- httpd-2.2.11/modules/ssl/ssl_engine_vars.c  (revision 768863)
     321+++ httpd-2.2.11/modules/ssl/ssl_engine_vars.c  (working copy)
    124322@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, con
    125323     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
     
    135333 }
    136334 
    137 Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
     335@@ -589,7 +595,7 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_po
     336     vrc   = SSL_get_verify_result(ssl);
     337     xs    = SSL_get_peer_certificate(ssl);
     338 
     339-    if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs == NULL)
     340+    if (vrc == X509_V_OK && verr == NULL && xs == NULL)
     341         /* no client verification done at all */
     342         result = "NONE";
     343     else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
     344Index: httpd-2.2.11/modules/ssl/ssl_engine_kernel.c
    138345===================================================================
    139 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 763153)
    140 +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
     346--- httpd-2.2.11/modules/ssl/ssl_engine_kernel.c        (revision 768863)
     347+++ httpd-2.2.11/modules/ssl/ssl_engine_kernel.c        (working copy)
    141348@@ -31,6 +31,9 @@
    142349 #include "ssl_private.h"
     
    159366     if (!sslconn) {
    160367         return DECLINED;
    161 @@ -87,6 +93,34 @@ int ssl_hook_ReadReq(request_rec *r)
     368@@ -87,6 +93,51 @@ int ssl_hook_ReadReq(request_rec *r)
    162369     if (!ssl) {
    163370         return DECLINED;
     
    190397+        }
    191398+    }
     399+    else if ((((mySrvConfig(r->server))->strict_sni_vhost_check
     400+                == SSL_ENABLED_TRUE)
     401+             || (mySrvConfig(sslconn->server))->strict_sni_vhost_check
     402+                == SSL_ENABLED_TRUE)
     403+             && r->connection->vhost_lookup_data) {
     404+        /*
     405+         * We are using a name based configuration here, but no hostname was
     406+         * provided via SNI. Don't allow that if are requested to do strict
     407+         * checking. Check whether this strict checking was setup either in the
     408+         * server config we used for handshaking or in our current server.
     409+         * This should avoid insecure configuration by accident.
     410+         */
     411+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
     412+                     "No hostname was provided via SNI for a name based"
     413+                     " virtual host");
     414+        return HTTP_FORBIDDEN;
     415+    }
    192416+#endif
    193417     SSL_set_app_data2(ssl, r);
    194418 
    195419     /*
    196 @@ -252,7 +286,7 @@ int ssl_hook_Access(request_rec *r)
     420@@ -155,10 +206,11 @@ static void ssl_configure_env(request_rec *r, SSLC
     421  */
     422 int ssl_hook_Access(request_rec *r)
     423 {
     424-    SSLDirConfigRec *dc = myDirConfig(r);
     425-    SSLSrvConfigRec *sc = mySrvConfig(r->server);
     426-    SSLConnRec *sslconn = myConnConfig(r->connection);
     427-    SSL *ssl            = sslconn ? sslconn->ssl : NULL;
     428+    SSLDirConfigRec *dc         = myDirConfig(r);
     429+    SSLSrvConfigRec *sc         = mySrvConfig(r->server);
     430+    SSLConnRec *sslconn         = myConnConfig(r->connection);
     431+    SSL *ssl                    = sslconn ? sslconn->ssl : NULL;
     432+    server_rec *handshakeserver = sslconn ? sslconn->server : NULL;
     433     SSL_CTX *ctx = NULL;
     434     apr_array_header_t *requires;
     435     ssl_require_t *ssl_requires;
     436@@ -252,7 +304,7 @@ int ssl_hook_Access(request_rec *r)
    197437      *   has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
    198438      *   implicit optimizations.
    199439      */
    200440-    if (dc->szCipherSuite) {
    201 +    if (dc->szCipherSuite || (r->server != r->connection->base_server)) {
     441+    if (dc->szCipherSuite || (r->server != handshakeserver)) {
    202442         /* remember old state */
    203443 
    204444         if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
    205 @@ -267,7 +301,10 @@ int ssl_hook_Access(request_rec *r)
     445@@ -267,7 +319,10 @@ int ssl_hook_Access(request_rec *r)
    206446         }
    207447 
     
    215455                          r->server,
    216456                          "Unable to reconfigure (per-directory) "
    217 @@ -334,8 +371,13 @@ int ssl_hook_Access(request_rec *r)
     457@@ -334,8 +389,13 @@ int ssl_hook_Access(request_rec *r)
    218458             sk_SSL_CIPHER_free(cipher_list_old);
    219459         }
     
    230470                          "Reconfigured cipher suite will force renegotiation");
    231471         }
    232 @@ -353,19 +395,15 @@ int ssl_hook_Access(request_rec *r)
     472@@ -348,24 +408,22 @@ int ssl_hook_Access(request_rec *r)
     473      * function and not by OpenSSL internally (and our function is aware of
     474      * both the per-server and per-directory contexts). So we cannot ask
     475      * OpenSSL about the currently verify depth. Instead we remember it in our
     476-     * ap_ctx attached to the SSL* of OpenSSL.  We've to force the
     477+     * SSLConnRec attached to the SSL* of OpenSSL.  We've to force the
     478      * renegotiation if the reconfigured/new verify depth is less than the
    233479      * currently active/remembered verify depth (because this means more
    234480      * restriction on the certificate chain).
     
    247493-                         "renegotiation");
    248494-        }
    249 +    n = sslconn->verify_depth;
     495+    n = sslconn->verify_depth ?
     496+        sslconn->verify_depth :
     497+        (mySrvConfig(handshakeserver))->server->auth.verify_depth;
     498+    /* determine the new depth */
    250499+    sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
    251500+                            dc->nVerifyDepth : sc->server->auth.verify_depth;
    252 +    if ((sslconn->verify_depth < n) ||
    253 +        ((n == 0) && (sc->server->auth.verify_depth == 0))) {
     501+    if (sslconn->verify_depth < n) {
    254502+        renegotiate = TRUE;
    255503+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
     
    259507 
    260508     /*
    261 @@ -382,18 +420,22 @@ int ssl_hook_Access(request_rec *r)
     509@@ -382,18 +440,22 @@ int ssl_hook_Access(request_rec *r)
    262510      * verification but at least skip the I/O-intensive renegotation
    263511      * handshake.
     
    285533             verify |= SSL_VERIFY_PEER;
    286534         }
    287 @@ -491,6 +533,40 @@ int ssl_hook_Access(request_rec *r)
    288                       "Changed client verification locations will force "
    289                       "renegotiation");
    290      }
    291 +#else
    292 +#ifndef OPENSSL_NO_TLSEXT
     535@@ -430,6 +492,45 @@ int ssl_hook_Access(request_rec *r)
     536                              renegotiate_quick ? "quick " : "");
     537              }
     538         }
     539+        /* If we're handling a request for a vhost other than the default one,
     540+         * then we need to make sure that client authentication is properly
     541+         * enforced. For clients supplying an SNI extension, the peer
     542+         * certificate verification has happened in the handshake already
     543+         * (and r->server == handshakeserver). For non-SNI requests,
     544+         * an additional check is needed here. If client authentication
     545+         * is configured as mandatory, then we can only proceed if the
     546+         * CA list doesn't have to be changed (OpenSSL doesn't provide
     547+         * an option to change the list for an existing session).
     548+         */
     549+        if ((r->server != handshakeserver)
     550+            && renegotiate
     551+            && ((verify & SSL_VERIFY_PEER) ||
     552+                (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) {
     553+            SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
     554+
    293555+#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
    294 +    (sc1->server->auth.f && \
    295 +     (!sc2->server->auth.f || \
    296 +      sc2->server->auth.f && strNE(sc1->server->auth.f, sc2->server->auth.f)))
    297 +
    298 +    /* If we're handling a request for a vhost other than the default one,
    299 +     * then we need to make sure that client authentication is properly
    300 +     * enforced. For clients supplying an SNI extension, the peer certificate
    301 +     * verification has happened in the handshake already (and r->server
    302 +     * has been set to r->connection->base_server). For non-SNI requests,
    303 +     * an additional check is needed here. If client authentication is
    304 +     * configured as mandatory, then we can only proceed if the CA list
    305 +     * doesn't have to be changed (SSL_set_cert_store() would be required
    306 +     * for this).
    307 +     */
    308 +    if ((r->server != r->connection->base_server) &&
    309 +        (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
    310 +        renegotiate &&
    311 +        !(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
    312 +        SSLSrvConfigRec *bssc = mySrvConfig(r->connection->base_server);
    313 +
    314 +        if (MODSSL_CFG_CA_NE(ca_cert_file, sc, bssc) ||
    315 +            MODSSL_CFG_CA_NE(ca_cert_path, sc, bssc)) {
    316 +            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    317 +                 "Non-default virtual host with SSLVerify set to 'require' "
    318 +                 "and VirtualHost-specific CA certificate list is only "
    319 +                 "supported for clients with TLS server name indication "
    320 +                 "(SNI) support");
    321 +            return HTTP_FORBIDDEN;
     556+            (sc1->server->auth.f && \
     557+             (!sc2->server->auth.f || \
     558+              strNE(sc1->server->auth.f, sc2->server->auth.f)))
     559+
     560+            if (MODSSL_CFG_CA_NE(ca_cert_file, sc, hssc) ||
     561+                MODSSL_CFG_CA_NE(ca_cert_path, sc, hssc)) {
     562+                if (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
     563+                    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     564+                         "Non-default virtual host with SSLVerify set to "
     565+                         "'require' and VirtualHost-specific CA certificate "
     566+                         "list is only available to clients with TLS server "
     567+                         "name indication (SNI) support");
     568+                    modssl_set_verify(ssl, verify_old, NULL);
     569+                    return HTTP_FORBIDDEN;
     570+                } else
     571+                    /* let it pass, possibly with an "incorrect" peer cert,
     572+                     * so make sure the SSL_CLIENT_VERIFY environment variable
     573+                     * will indicate partial success only, later on.
     574+                     */
     575+                    sslconn->verify_info = "GENEROUS";
     576+            }
    322577+        }
    323 +    }
    324 +#endif /* OPENSSL_NO_TLSEXT */
    325  #endif /* HAVE_SSL_SET_CERT_STORE */
    326  
    327      /* If a renegotiation is now required for this location, and the
    328 @@ -675,8 +751,10 @@ int ssl_hook_Access(request_rec *r)
     578     }
     579 
     580     /*
     581@@ -666,8 +767,10 @@ int ssl_hook_Access(request_rec *r)
    329582         /*
    330583          * Finally check for acceptable renegotiation results
     
    339592             if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
    340593                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
    341 @@ -1006,6 +1084,9 @@ int ssl_hook_Fixup(request_rec *r)
     594@@ -997,6 +1100,9 @@ int ssl_hook_Fixup(request_rec *r)
    342595     SSLDirConfigRec *dc = myDirConfig(r);
    343596     apr_table_t *env = r->subprocess_env;
     
    349602     SSL *ssl;
    350603     int i;
    351 @@ -1027,6 +1108,13 @@ int ssl_hook_Fixup(request_rec *r)
     604@@ -1018,6 +1124,13 @@ int ssl_hook_Fixup(request_rec *r)
    352605     /* the always present HTTPS (=HTTP over SSL) flag! */
    353606     apr_table_setn(env, "HTTPS", "on");
     
    363616     if (dc->nOptions & SSL_OPT_STDENVVARS) {
    364617         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
    365 @@ -1175,8 +1263,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
     618@@ -1105,7 +1218,7 @@ int ssl_hook_Fixup(request_rec *r)
     619 RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen)
     620 {
     621     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
     622-    SSLModConfigRec *mc = myModConfig(c->base_server);
     623+    SSLModConfigRec *mc = myModConfigFromConn(c);
     624     int idx;
     625 
     626     ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
     627@@ -1137,7 +1250,7 @@ RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int
     628 DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
     629 {
     630     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
     631-    SSLModConfigRec *mc = myModConfig(c->base_server);
     632+    SSLModConfigRec *mc = myModConfigFromConn(c);
     633     int idx;
     634 
     635     ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
     636@@ -1166,8 +1279,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
    366637     SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
    367638                                           SSL_get_ex_data_X509_STORE_CTX_idx());
     
    369640-    server_rec *s       = conn->base_server;
    370641     request_rec *r      = (request_rec *)SSL_get_app_data2(ssl);
    371 +    server_rec *s       = r ? r->server : conn->base_server;
     642+    server_rec *s       = r ? r->server : mySrvFromConn(conn);
    372643 
    373644     SSLSrvConfigRec *sc = mySrvConfig(s);
    374645     SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
    375 @@ -1299,7 +1387,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
     646@@ -1290,7 +1403,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
    376647 
    377648 int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
     
    381652+                                          SSL_get_ex_data_X509_STORE_CTX_idx());
    382653+    request_rec *r      = (request_rec *)SSL_get_app_data2(ssl);
    383 +    server_rec *s       = r ? r->server : c->base_server;
     654+    server_rec *s       = r ? r->server : mySrvFromConn(c);
    384655     SSLSrvConfigRec *sc = mySrvConfig(s);
    385656     SSLConnRec *sslconn = myConnConfig(c);
    386657     modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
    387 @@ -1819,3 +1910,141 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A
     658@@ -1515,7 +1631,7 @@ static void modssl_proxy_info_log(server_rec *s,
     659 int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey)
     660 {
     661     conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
     662-    server_rec *s = c->base_server;
     663+    server_rec *s = mySrvFromConn(c);
     664     SSLSrvConfigRec *sc = mySrvConfig(s);
     665     X509_NAME *ca_name, *issuer;
     666     X509_INFO *info;
     667@@ -1613,7 +1729,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SS
     668 {
     669     /* Get Apache context back through OpenSSL context */
     670     conn_rec *conn      = (conn_rec *)SSL_get_app_data(ssl);
     671-    server_rec *s       = conn->base_server;
     672+    server_rec *s       = mySrvFromConn(conn);
     673     SSLSrvConfigRec *sc = mySrvConfig(s);
     674     long timeout        = sc->session_cache_timeout;
     675     BOOL rc;
     676@@ -1661,7 +1777,7 @@ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL
     677 {
     678     /* Get Apache context back through OpenSSL context */
     679     conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
     680-    server_rec *s  = conn->base_server;
     681+    server_rec *s  = mySrvFromConn(conn);
     682     SSL_SESSION *session;
     683 
     684     /*
     685@@ -1739,7 +1855,7 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A
     686         return;
     687     }
     688 
     689-    s = c->base_server;
     690+    s = mySrvFromConn(c);
     691     if (!(sc = mySrvConfig(s))) {
     692         return;
     693     }
     694@@ -1810,3 +1926,138 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A
    388695     }
    389696 }
     
    434741+    apr_array_header_t *names;
    435742+    int i;
     743+    SSLConnRec *sslcon;
    436744+
    437745+    /* check ServerName */
     
    476784+
    477785+    /* set SSL_CTX (if matched) */
    478 +    if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
     786+    sslcon = myConnConfig(c);
     787+    if (found && (ssl = sslcon->ssl) &&
    479788+        (sc = mySrvConfig(s))) {
    480789+        SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
     
    499808+
    500809+        /*
    501 +         * We also need to make sure that the correct mctx
    502 +         * (accessed through the c->base_server->module_config vector)
    503 +         * is assigned to the connection - the CRL callback e.g.
    504 +         * makes use of it for retrieving its store (mctx->crl).
    505 +         * Since logging in callbacks uses c->base_server in many
    506 +         * cases, it also ensures that these messages are routed
    507 +         * to the proper log.
     810+         * Save the found server into our SSLConnRec for later
     811+         * retrieval
    508812+         */
    509 +        c->base_server = s;
     813+        sslcon->server = s;
    510814+
    511815+        /*
     
    516820+         * we need to set that callback here.
    517821+         */
    518 +        if (c->base_server->loglevel >= APLOG_DEBUG) {
     822+        if (s->loglevel >= APLOG_DEBUG) {
    519823+            BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
    520824+            BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
     
    527831+}
    528832+#endif
    529 Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
     833Index: httpd-2.2.11/modules/ssl/mod_ssl.c
    530834===================================================================
    531 --- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (revision 763153)
    532 +++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (working copy)
     835--- httpd-2.2.11/modules/ssl/mod_ssl.c  (revision 768863)
     836+++ httpd-2.2.11/modules/ssl/mod_ssl.c  (working copy)
     837@@ -145,6 +145,10 @@ static const command_rec ssl_config_cmds[] = {
     838                 "Use the server's cipher ordering preference")
     839     SSL_CMD_ALL(UserName, TAKE1,
     840                 "Set user name to SSL variable value")
     841+#ifndef OPENSSL_NO_TLSEXT
     842+    SSL_CMD_SRV(StrictSNIVHostCheck, FLAG,
     843+                "Strict SNI virtual host checking")
     844+#endif
     845 
     846     /*
     847      * Proxy configuration for remote SSL connections
     848@@ -295,6 +299,8 @@ static SSLConnRec *ssl_init_connection_ctx(conn_re
     849 
     850     sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
     851 
     852+    sslconn->server = c->base_server;
     853+
     854     myConnConfigSet(c, sslconn);
     855 
     856     return sslconn;
     857@@ -302,9 +308,10 @@ static SSLConnRec *ssl_init_connection_ctx(conn_re
     858 
     859 int ssl_proxy_enable(conn_rec *c)
     860 {
     861-    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
     862+    SSLSrvConfigRec *sc;
     863 
     864     SSLConnRec *sslconn = ssl_init_connection_ctx(c);
     865+    sc = mySrvConfig(sslconn->server);
     866 
     867     if (!sc->proxy_enabled) {
     868         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
     869@@ -322,10 +329,16 @@ int ssl_proxy_enable(conn_rec *c)
     870 
     871 int ssl_engine_disable(conn_rec *c)
     872 {
     873-    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
     874+    SSLSrvConfigRec *sc;
     875 
     876-    SSLConnRec *sslconn;
     877+    SSLConnRec *sslconn = myConnConfig(c);
     878 
     879+    if (sslconn) {
     880+        sc = mySrvConfig(sslconn->server);
     881+    }
     882+    else {
     883+        sc = mySrvConfig(c->base_server);
     884+    }
     885     if (sc->enabled == SSL_ENABLED_FALSE) {
     886         return 0;
     887     }
     888@@ -339,21 +352,24 @@ int ssl_engine_disable(conn_rec *c)
     889 
     890 int ssl_init_ssl_connection(conn_rec *c)
     891 {
     892-    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
     893+    SSLSrvConfigRec *sc;
     894     SSL *ssl;
     895     SSLConnRec *sslconn = myConnConfig(c);
     896     char *vhost_md5;
     897     modssl_ctx_t *mctx;
     898+    server_rec *server;
     899 
     900+    if (!sslconn) {
     901+        sslconn = ssl_init_connection_ctx(c);
     902+    }
     903+    server = sslconn->server;
     904+    sc = mySrvConfig(server);
     905+
     906     /*
     907      * Seed the Pseudo Random Number Generator (PRNG)
     908      */
     909-    ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, "");
     910+    ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, "");
     911 
     912-    if (!sslconn) {
     913-        sslconn = ssl_init_connection_ctx(c);
     914-    }
     915-
     916     mctx = sslconn->is_proxy ? sc->proxy : sc->server;
     917 
     918     /*
     919@@ -365,7 +381,7 @@ int ssl_init_ssl_connection(conn_rec *c)
     920         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
     921                       "Unable to create a new SSL connection from the SSL "
     922                       "context");
     923-        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
     924+        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
     925 
     926         c->aborted = 1;
     927 
     928@@ -380,7 +396,7 @@ int ssl_init_ssl_connection(conn_rec *c)
     929     {
     930         ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
     931                       "Unable to set session id context to `%s'", vhost_md5);
     932-        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server);
     933+        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server);
     934 
     935         c->aborted = 1;
     936 
     937@@ -429,9 +445,15 @@ static apr_port_t ssl_hook_default_port(const requ
     938 
     939 static int ssl_hook_pre_connection(conn_rec *c, void *csd)
     940 {
     941-    SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
     942+    SSLSrvConfigRec *sc;
     943     SSLConnRec *sslconn = myConnConfig(c);
     944 
     945+    if (sslconn) {
     946+        sc = mySrvConfig(sslconn->server);
     947+    }
     948+    else {
     949+        sc = mySrvConfig(c->base_server);
     950+    }
     951     /*
     952      * Immediately stop processing if SSL is disabled for this connection
     953      */
     954Index: httpd-2.2.11/modules/ssl/ssl_toolkit_compat.h
     955===================================================================
     956--- httpd-2.2.11/modules/ssl/ssl_toolkit_compat.h       (revision 768863)
     957+++ httpd-2.2.11/modules/ssl/ssl_toolkit_compat.h       (working copy)
    533958@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *data);
    534959 #define SSL_SESS_CACHE_NO_INTERNAL  SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
     
    544969 
    545970 /** @} */
     971Index: httpd-2.2.11/docs/manual/mod/mod_ssl.html.en
     972===================================================================
     973--- httpd-2.2.11/docs/manual/mod/mod_ssl.html.en        (revision 768863)
     974+++ httpd-2.2.11/docs/manual/mod/mod_ssl.html.en        (working copy)
     975@@ -75,6 +75,7 @@ to provide the cryptography engine.</p>
     976 <li><img alt="" src="../images/down.gif" /> <a href="#sslrequiressl">SSLRequireSSL</a></li>
     977 <li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncache">SSLSessionCache</a></li>
     978 <li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li>
     979+<li><img alt="" src="../images/down.gif" /> <a href="#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li>
     980 <li><img alt="" src="../images/down.gif" /> <a href="#sslusername">SSLUserName</a></li>
     981 <li><img alt="" src="../images/down.gif" /> <a href="#sslverifyclient">SSLVerifyClient</a></li>
     982 <li><img alt="" src="../images/down.gif" /> <a href="#sslverifydepth">SSLVerifyDepth</a></li>
     983@@ -1613,6 +1614,37 @@ SSLSessionCacheTimeout 600
     984 
     985 </div>
     986 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
     987+<div class="directive-section"><h2><a name="SSLStrictSNIVHostCheck" id="SSLStrictSNIVHostCheck">SSLStrictSNIVHostCheck</a> <a name="sslstrictsnivhostcheck" id="sslstrictsnivhostcheck">Directive</a></h2>
     988+<table class="directive">
     989+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Whether to allow non SNI clients to access a name based virtual
     990+host.
     991+</td></tr>
     992+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLStrictSNIVHostCheck on|off</code></td></tr>
     993+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLStrictSNIVHostCheck off</code></td></tr>
     994+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
     995+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
     996+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
     997+</table>
     998+<p>
     999+This directive sets whether a non SNI client is allowed to access a name based
     1000+virtual host. If set to <code>on</code> in the non default name based virtual
     1001+host, non SNI clients are not allowed to access this particular virtual host.
     1002+If set to <code>on</code> in the default name based virtual host, non SNI
     1003+clients are not allowed to access any name based virtual host belonging to
     1004+this IP / port combination.
     1005+</p>
     1006+
     1007+<div class="warning"><p>
     1008+This option is only available if httpd was compiled against an SNI capable
     1009+version of OpenSSL.
     1010+</p></div>
     1011+
     1012+<div class="example"><h3>Example</h3><p><code>
     1013+SSLStrictSNIVHostCheck on
     1014+</code></p></div>
     1015+
     1016+</div>
     1017+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
     1018 <div class="directive-section"><h2><a name="SSLUserName" id="SSLUserName">SSLUserName</a> <a name="sslusername" id="sslusername">Directive</a></h2>
     1019 <table class="directive">
     1020 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Variable name to determine user name</td></tr>
     1021@@ -1717,6 +1749,6 @@ SSLVerifyDepth 10
     1022 <div class="bottomlang">
     1023 <p><span>Available Languages: </span><a href="../en/mod/mod_ssl.html" title="English">&nbsp;en&nbsp;</a></p>
     1024 </div><div id="footer">
     1025-<p class="apache">Copyright 2008 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
     1026+<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
     1027 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
     1028 </body></html>
Note: See TracChangeset for help on using the changeset viewer.