Changeset 1115 for server/common/patches
- Timestamp:
- May 6, 2009, 4:19:41 AM (15 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
server/common/patches/httpd-2.2.x-sni.patch
r1102 r1115 1 http d-2.2.x-sni.patch - server name indication support for Apache 2.22 (see RFC 4366, "Transport Layer Security (TLS) Extensions")1 http://sni.velox.ch/httpd-2.2.11-sni.20090427.patch - server name indication 2 support for mod_ssl / Apache 2.2.11 (RFC 4366, section 3.1) 3 3 4 Last updated 2009-04-08 4 Last updated 2009-04-27, by Kaspar Brand. 5 Provided AS IS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND. 5 6 6 based on a patch from the EdelKey project 7 (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) 7 Based on a patch from the EdelKey project (http://www.edelweb.fr/EdelKey/files/), 8 includes further improvements by Ruediger Pluem (from httpd trunk). 8 9 9 10 Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later … … 12 13 at compile time ("./config enable-tlsext"). 13 14 14 Index: httpd-2.2. x/modules/ssl/ssl_private.h15 Index: httpd-2.2.11/modules/ssl/ssl_private.h 15 16 =================================================================== 16 --- httpd-2.2. x/modules/ssl/ssl_private.h (revision 763153)17 +++ httpd-2.2. x/modules/ssl/ssl_private.h (working copy)17 --- httpd-2.2.11/modules/ssl/ssl_private.h (revision 768863) 18 +++ httpd-2.2.11/modules/ssl/ssl_private.h (working copy) 18 19 @@ -35,6 +35,7 @@ 19 20 #include "http_connection.h" … … 24 25 #include "util_filter.h" 25 26 #include "util_ebcdic.h" 26 @@ -562,6 +563,9 @@ int ssl_callback_NewSessionCacheEntry(SSL 27 @@ -129,6 +130,9 @@ ap_set_module_config(c->conn_config, &ssl_module, 28 #define mySrvConfig(srv) (SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module) 29 #define myDirConfig(req) (SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module) 30 #define myModConfig(srv) (mySrvConfig((srv)))->mc 31 +#define mySrvFromConn(c) (myConnConfig(c))->server 32 +#define mySrvConfigFromConn(c) mySrvConfig(mySrvFromConn(c)) 33 +#define myModConfigFromConn(c) myModConfig(mySrvFromConn(c)) 34 35 #define myCtxVarSet(mc,num,val) mc->rCtx.pV##num = val 36 #define myCtxVarGet(mc,num,type) (type)(mc->rCtx.pV##num) 37 @@ -347,6 +351,7 @@ typedef struct { 38 int is_proxy; 39 int disabled; 40 int non_ssl_request; 41 + server_rec *server; 42 } SSLConnRec; 43 44 typedef struct { 45 @@ -449,6 +454,9 @@ struct SSLSrvConfigRec { 46 BOOL cipher_server_pref; 47 modssl_ctx_t *server; 48 modssl_ctx_t *proxy; 49 +#ifndef OPENSSL_NO_TLSEXT 50 + ssl_enabled_t strict_sni_vhost_check; 51 +#endif 52 }; 53 54 /** 55 @@ -513,6 +521,9 @@ const char *ssl_cmd_SSLOptions(cmd_parms *, void 56 const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *); 57 const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *); 58 const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); 59 +#ifndef OPENSSL_NO_TLSEXT 60 +const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); 61 +#endif 62 63 const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); 64 const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *); 65 @@ -555,6 +566,9 @@ int ssl_callback_NewSessionCacheEntry(SSL 27 66 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); 28 67 void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); … … 34 73 /** Session Cache Support */ 35 74 void ssl_scache_init(server_rec *, apr_pool_t *); 36 Index: httpd-2.2. x/modules/ssl/ssl_engine_init.c75 Index: httpd-2.2.11/modules/ssl/ssl_engine_init.c 37 76 =================================================================== 38 --- httpd-2.2. x/modules/ssl/ssl_engine_init.c (revision 763153)39 +++ httpd-2.2. x/modules/ssl/ssl_engine_init.c (working copy)77 --- httpd-2.2.11/modules/ssl/ssl_engine_init.c (revision 768863) 78 +++ httpd-2.2.11/modules/ssl/ssl_engine_init.c (working copy) 40 79 @@ -358,6 +358,33 @@ static void ssl_init_server_check(server_rec *s, 41 80 } … … 118 157 } 119 158 120 Index: httpd-2.2. x/modules/ssl/ssl_engine_vars.c159 Index: httpd-2.2.11/modules/ssl/ssl_engine_config.c 121 160 =================================================================== 122 --- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 763153) 123 +++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy) 161 --- httpd-2.2.11/modules/ssl/ssl_engine_config.c (revision 768863) 162 +++ httpd-2.2.11/modules/ssl/ssl_engine_config.c (working copy) 163 @@ -169,6 +169,9 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_ 164 sc->vhost_id_len = 0; /* set during module init */ 165 sc->session_cache_timeout = UNSET; 166 sc->cipher_server_pref = UNSET; 167 +#ifndef OPENSSL_NO_TLSEXT 168 + sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; 169 +#endif 170 171 modssl_ctx_init_proxy(sc, p); 172 173 @@ -257,6 +260,9 @@ void *ssl_config_server_merge(apr_pool_t *p, void 174 cfgMergeBool(proxy_enabled); 175 cfgMergeInt(session_cache_timeout); 176 cfgMergeBool(cipher_server_pref); 177 +#ifndef OPENSSL_NO_TLSEXT 178 + cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); 179 +#endif 180 181 modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); 182 183 @@ -1411,6 +1417,17 @@ const char *ssl_cmd_SSLUserName(cmd_parms *cmd, vo 184 return NULL; 185 } 186 187 +#ifndef OPENSSL_NO_TLSEXT 188 +const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag) 189 +{ 190 + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); 191 + 192 + sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; 193 + 194 + return NULL; 195 +} 196 +#endif 197 + 198 void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) 199 { 200 if (!ap_exists_config_define("DUMP_CERTS")) { 201 Index: httpd-2.2.11/modules/ssl/ssl_engine_io.c 202 =================================================================== 203 --- httpd-2.2.11/modules/ssl/ssl_engine_io.c (revision 768863) 204 +++ httpd-2.2.11/modules/ssl/ssl_engine_io.c (working copy) 205 @@ -695,7 +695,7 @@ static apr_status_t ssl_io_input_read(bio_filter_i 206 */ 207 ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c, 208 "SSL library error %d reading data", ssl_err); 209 - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); 210 + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c)); 211 212 } 213 if (inctx->rc == APR_SUCCESS) { 214 @@ -799,7 +799,7 @@ static apr_status_t ssl_filter_write(ap_filter_t * 215 */ 216 ap_log_cerror(APLOG_MARK, APLOG_INFO, outctx->rc, c, 217 "SSL library error %d writing data", ssl_err); 218 - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); 219 + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, mySrvFromConn(c)); 220 } 221 if (outctx->rc == APR_SUCCESS) { 222 outctx->rc = APR_EGENERAL; 223 @@ -861,7 +861,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_ 224 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, 225 "SSL handshake failed: HTTP spoken on HTTPS port; " 226 "trying to send HTML error page"); 227 - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, f->c->base_server); 228 + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server); 229 230 sslconn->non_ssl_request = 1; 231 ssl_io_filter_disable(sslconn, f); 232 @@ -971,11 +971,11 @@ static apr_status_t ssl_filter_io_shutdown(ssl_fil 233 SSL_smart_shutdown(ssl); 234 235 /* and finally log the fact that we've closed the connection */ 236 - if (c->base_server->loglevel >= APLOG_INFO) { 237 + if (mySrvFromConn(c)->loglevel >= APLOG_INFO) { 238 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, 239 "Connection closed to child %ld with %s shutdown " 240 "(server %s)", 241 - c->id, type, ssl_util_vhostid(c->pool, c->base_server)); 242 + c->id, type, ssl_util_vhostid(c->pool, mySrvFromConn(c))); 243 } 244 245 /* deallocate the SSL connection */ 246 @@ -1021,21 +1021,23 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t 247 { 248 conn_rec *c = (conn_rec *)SSL_get_app_data(filter_ctx->pssl); 249 SSLConnRec *sslconn = myConnConfig(c); 250 - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); 251 + SSLSrvConfigRec *sc; 252 X509 *cert; 253 int n; 254 int ssl_err; 255 long verify_result; 256 + server_rec *server; 257 258 if (SSL_is_init_finished(filter_ctx->pssl)) { 259 return APR_SUCCESS; 260 } 261 262 + server = mySrvFromConn(c); 263 if (sslconn->is_proxy) { 264 if ((n = SSL_connect(filter_ctx->pssl)) <= 0) { 265 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, 266 "SSL Proxy connect failed"); 267 - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); 268 + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); 269 /* ensure that the SSL structures etc are freed, etc: */ 270 ssl_filter_io_shutdown(filter_ctx, c, 1); 271 return HTTP_BAD_GATEWAY; 272 @@ -1092,8 +1094,8 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t 273 ap_log_cerror(APLOG_MARK, APLOG_INFO, rc, c, 274 "SSL library error %d in handshake " 275 "(server %s)", ssl_err, 276 - ssl_util_vhostid(c->pool, c->base_server)); 277 - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); 278 + ssl_util_vhostid(c->pool, server)); 279 + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); 280 281 } 282 if (inctx->rc == APR_SUCCESS) { 283 @@ -1102,6 +1104,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t 284 285 return ssl_filter_io_shutdown(filter_ctx, c, 1); 286 } 287 + sc = mySrvConfig(sslconn->server); 288 289 /* 290 * Check for failed client authentication 291 @@ -1127,7 +1130,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t 292 "accepting certificate based on " 293 "\"SSLVerifyClient optional_no_ca\" " 294 "configuration"); 295 - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); 296 + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); 297 } 298 else { 299 const char *error = sslconn->verify_error ? 300 @@ -1137,7 +1140,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t 301 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, 302 "SSL client authentication failed: %s", 303 error ? error : "unknown"); 304 - ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server); 305 + ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); 306 307 return ssl_filter_io_shutdown(filter_ctx, c, 1); 308 } 309 @@ -1809,7 +1812,7 @@ long ssl_io_data_cb(BIO *bio, int cmd, 310 return rc; 311 if ((c = (conn_rec *)SSL_get_app_data(ssl)) == NULL) 312 return rc; 313 - s = c->base_server; 314 + s = mySrvFromConn(c); 315 316 if ( cmd == (BIO_CB_WRITE|BIO_CB_RETURN) 317 || cmd == (BIO_CB_READ |BIO_CB_RETURN) ) { 318 Index: httpd-2.2.11/modules/ssl/ssl_engine_vars.c 319 =================================================================== 320 --- httpd-2.2.11/modules/ssl/ssl_engine_vars.c (revision 768863) 321 +++ httpd-2.2.11/modules/ssl/ssl_engine_vars.c (working copy) 124 322 @@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, con 125 323 else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { … … 135 333 } 136 334 137 Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c 335 @@ -589,7 +595,7 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_po 336 vrc = SSL_get_verify_result(ssl); 337 xs = SSL_get_peer_certificate(ssl); 338 339 - if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs == NULL) 340 + if (vrc == X509_V_OK && verr == NULL && xs == NULL) 341 /* no client verification done at all */ 342 result = "NONE"; 343 else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL) 344 Index: httpd-2.2.11/modules/ssl/ssl_engine_kernel.c 138 345 =================================================================== 139 --- httpd-2.2. x/modules/ssl/ssl_engine_kernel.c (revision 763153)140 +++ httpd-2.2. x/modules/ssl/ssl_engine_kernel.c (working copy)346 --- httpd-2.2.11/modules/ssl/ssl_engine_kernel.c (revision 768863) 347 +++ httpd-2.2.11/modules/ssl/ssl_engine_kernel.c (working copy) 141 348 @@ -31,6 +31,9 @@ 142 349 #include "ssl_private.h" … … 159 366 if (!sslconn) { 160 367 return DECLINED; 161 @@ -87,6 +93, 34@@ int ssl_hook_ReadReq(request_rec *r)368 @@ -87,6 +93,51 @@ int ssl_hook_ReadReq(request_rec *r) 162 369 if (!ssl) { 163 370 return DECLINED; … … 190 397 + } 191 398 + } 399 + else if ((((mySrvConfig(r->server))->strict_sni_vhost_check 400 + == SSL_ENABLED_TRUE) 401 + || (mySrvConfig(sslconn->server))->strict_sni_vhost_check 402 + == SSL_ENABLED_TRUE) 403 + && r->connection->vhost_lookup_data) { 404 + /* 405 + * We are using a name based configuration here, but no hostname was 406 + * provided via SNI. Don't allow that if are requested to do strict 407 + * checking. Check whether this strict checking was setup either in the 408 + * server config we used for handshaking or in our current server. 409 + * This should avoid insecure configuration by accident. 410 + */ 411 + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, 412 + "No hostname was provided via SNI for a name based" 413 + " virtual host"); 414 + return HTTP_FORBIDDEN; 415 + } 192 416 +#endif 193 417 SSL_set_app_data2(ssl, r); 194 418 195 419 /* 196 @@ -252,7 +286,7 @@ int ssl_hook_Access(request_rec *r) 420 @@ -155,10 +206,11 @@ static void ssl_configure_env(request_rec *r, SSLC 421 */ 422 int ssl_hook_Access(request_rec *r) 423 { 424 - SSLDirConfigRec *dc = myDirConfig(r); 425 - SSLSrvConfigRec *sc = mySrvConfig(r->server); 426 - SSLConnRec *sslconn = myConnConfig(r->connection); 427 - SSL *ssl = sslconn ? sslconn->ssl : NULL; 428 + SSLDirConfigRec *dc = myDirConfig(r); 429 + SSLSrvConfigRec *sc = mySrvConfig(r->server); 430 + SSLConnRec *sslconn = myConnConfig(r->connection); 431 + SSL *ssl = sslconn ? sslconn->ssl : NULL; 432 + server_rec *handshakeserver = sslconn ? sslconn->server : NULL; 433 SSL_CTX *ctx = NULL; 434 apr_array_header_t *requires; 435 ssl_require_t *ssl_requires; 436 @@ -252,7 +304,7 @@ int ssl_hook_Access(request_rec *r) 197 437 * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no 198 438 * implicit optimizations. 199 439 */ 200 440 - if (dc->szCipherSuite) { 201 + if (dc->szCipherSuite || (r->server != r->connection->base_server)) {441 + if (dc->szCipherSuite || (r->server != handshakeserver)) { 202 442 /* remember old state */ 203 443 204 444 if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { 205 @@ -267,7 +3 01,10 @@ int ssl_hook_Access(request_rec *r)445 @@ -267,7 +319,10 @@ int ssl_hook_Access(request_rec *r) 206 446 } 207 447 … … 215 455 r->server, 216 456 "Unable to reconfigure (per-directory) " 217 @@ -334,8 +3 71,13 @@ int ssl_hook_Access(request_rec *r)457 @@ -334,8 +389,13 @@ int ssl_hook_Access(request_rec *r) 218 458 sk_SSL_CIPHER_free(cipher_list_old); 219 459 } … … 230 470 "Reconfigured cipher suite will force renegotiation"); 231 471 } 232 @@ -353,19 +395,15 @@ int ssl_hook_Access(request_rec *r) 472 @@ -348,24 +408,22 @@ int ssl_hook_Access(request_rec *r) 473 * function and not by OpenSSL internally (and our function is aware of 474 * both the per-server and per-directory contexts). So we cannot ask 475 * OpenSSL about the currently verify depth. Instead we remember it in our 476 - * ap_ctx attached to the SSL* of OpenSSL. We've to force the 477 + * SSLConnRec attached to the SSL* of OpenSSL. We've to force the 478 * renegotiation if the reconfigured/new verify depth is less than the 233 479 * currently active/remembered verify depth (because this means more 234 480 * restriction on the certificate chain). … … 247 493 - "renegotiation"); 248 494 - } 249 + n = sslconn->verify_depth; 495 + n = sslconn->verify_depth ? 496 + sslconn->verify_depth : 497 + (mySrvConfig(handshakeserver))->server->auth.verify_depth; 498 + /* determine the new depth */ 250 499 + sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ? 251 500 + dc->nVerifyDepth : sc->server->auth.verify_depth; 252 + if ((sslconn->verify_depth < n) || 253 + ((n == 0) && (sc->server->auth.verify_depth == 0))) { 501 + if (sslconn->verify_depth < n) { 254 502 + renegotiate = TRUE; 255 503 + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, … … 259 507 260 508 /* 261 @@ -382,18 +4 20,22 @@ int ssl_hook_Access(request_rec *r)509 @@ -382,18 +440,22 @@ int ssl_hook_Access(request_rec *r) 262 510 * verification but at least skip the I/O-intensive renegotation 263 511 * handshake. … … 285 533 verify |= SSL_VERIFY_PEER; 286 534 } 287 @@ -491,6 +533,40 @@ int ssl_hook_Access(request_rec *r) 288 "Changed client verification locations will force " 289 "renegotiation"); 290 } 291 +#else 292 +#ifndef OPENSSL_NO_TLSEXT 535 @@ -430,6 +492,45 @@ int ssl_hook_Access(request_rec *r) 536 renegotiate_quick ? "quick " : ""); 537 } 538 } 539 + /* If we're handling a request for a vhost other than the default one, 540 + * then we need to make sure that client authentication is properly 541 + * enforced. For clients supplying an SNI extension, the peer 542 + * certificate verification has happened in the handshake already 543 + * (and r->server == handshakeserver). For non-SNI requests, 544 + * an additional check is needed here. If client authentication 545 + * is configured as mandatory, then we can only proceed if the 546 + * CA list doesn't have to be changed (OpenSSL doesn't provide 547 + * an option to change the list for an existing session). 548 + */ 549 + if ((r->server != handshakeserver) 550 + && renegotiate 551 + && ((verify & SSL_VERIFY_PEER) || 552 + (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { 553 + SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver); 554 + 293 555 +#define MODSSL_CFG_CA_NE(f, sc1, sc2) \ 294 + (sc1->server->auth.f && \ 295 + (!sc2->server->auth.f || \ 296 + sc2->server->auth.f && strNE(sc1->server->auth.f, sc2->server->auth.f))) 297 + 298 + /* If we're handling a request for a vhost other than the default one, 299 + * then we need to make sure that client authentication is properly 300 + * enforced. For clients supplying an SNI extension, the peer certificate 301 + * verification has happened in the handshake already (and r->server 302 + * has been set to r->connection->base_server). For non-SNI requests, 303 + * an additional check is needed here. If client authentication is 304 + * configured as mandatory, then we can only proceed if the CA list 305 + * doesn't have to be changed (SSL_set_cert_store() would be required 306 + * for this). 307 + */ 308 + if ((r->server != r->connection->base_server) && 309 + (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) && 310 + renegotiate && 311 + !(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { 312 + SSLSrvConfigRec *bssc = mySrvConfig(r->connection->base_server); 313 + 314 + if (MODSSL_CFG_CA_NE(ca_cert_file, sc, bssc) || 315 + MODSSL_CFG_CA_NE(ca_cert_path, sc, bssc)) { 316 + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 317 + "Non-default virtual host with SSLVerify set to 'require' " 318 + "and VirtualHost-specific CA certificate list is only " 319 + "supported for clients with TLS server name indication " 320 + "(SNI) support"); 321 + return HTTP_FORBIDDEN; 556 + (sc1->server->auth.f && \ 557 + (!sc2->server->auth.f || \ 558 + strNE(sc1->server->auth.f, sc2->server->auth.f))) 559 + 560 + if (MODSSL_CFG_CA_NE(ca_cert_file, sc, hssc) || 561 + MODSSL_CFG_CA_NE(ca_cert_path, sc, hssc)) { 562 + if (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { 563 + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 564 + "Non-default virtual host with SSLVerify set to " 565 + "'require' and VirtualHost-specific CA certificate " 566 + "list is only available to clients with TLS server " 567 + "name indication (SNI) support"); 568 + modssl_set_verify(ssl, verify_old, NULL); 569 + return HTTP_FORBIDDEN; 570 + } else 571 + /* let it pass, possibly with an "incorrect" peer cert, 572 + * so make sure the SSL_CLIENT_VERIFY environment variable 573 + * will indicate partial success only, later on. 574 + */ 575 + sslconn->verify_info = "GENEROUS"; 576 + } 322 577 + } 323 + } 324 +#endif /* OPENSSL_NO_TLSEXT */ 325 #endif /* HAVE_SSL_SET_CERT_STORE */ 326 327 /* If a renegotiation is now required for this location, and the 328 @@ -675,8 +751,10 @@ int ssl_hook_Access(request_rec *r) 578 } 579 580 /* 581 @@ -666,8 +767,10 @@ int ssl_hook_Access(request_rec *r) 329 582 /* 330 583 * Finally check for acceptable renegotiation results … … 339 592 if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { 340 593 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, 341 @@ - 1006,6 +1084,9 @@ int ssl_hook_Fixup(request_rec *r)594 @@ -997,6 +1100,9 @@ int ssl_hook_Fixup(request_rec *r) 342 595 SSLDirConfigRec *dc = myDirConfig(r); 343 596 apr_table_t *env = r->subprocess_env; … … 349 602 SSL *ssl; 350 603 int i; 351 @@ -10 27,6 +1108,13 @@ int ssl_hook_Fixup(request_rec *r)604 @@ -1018,6 +1124,13 @@ int ssl_hook_Fixup(request_rec *r) 352 605 /* the always present HTTPS (=HTTP over SSL) flag! */ 353 606 apr_table_setn(env, "HTTPS", "on"); … … 363 616 if (dc->nOptions & SSL_OPT_STDENVVARS) { 364 617 for (i = 0; ssl_hook_Fixup_vars[i]; i++) { 365 @@ -1175,8 +1263,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX 618 @@ -1105,7 +1218,7 @@ int ssl_hook_Fixup(request_rec *r) 619 RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen) 620 { 621 conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); 622 - SSLModConfigRec *mc = myModConfig(c->base_server); 623 + SSLModConfigRec *mc = myModConfigFromConn(c); 624 int idx; 625 626 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, 627 @@ -1137,7 +1250,7 @@ RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int 628 DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) 629 { 630 conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); 631 - SSLModConfigRec *mc = myModConfig(c->base_server); 632 + SSLModConfigRec *mc = myModConfigFromConn(c); 633 int idx; 634 635 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, 636 @@ -1166,8 +1279,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX 366 637 SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, 367 638 SSL_get_ex_data_X509_STORE_CTX_idx()); … … 369 640 - server_rec *s = conn->base_server; 370 641 request_rec *r = (request_rec *)SSL_get_app_data2(ssl); 371 + server_rec *s = r ? r->server : conn->base_server;642 + server_rec *s = r ? r->server : mySrvFromConn(conn); 372 643 373 644 SSLSrvConfigRec *sc = mySrvConfig(s); 374 645 SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL; 375 @@ -129 9,7 +1387,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX646 @@ -1290,7 +1403,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX 376 647 377 648 int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) … … 381 652 + SSL_get_ex_data_X509_STORE_CTX_idx()); 382 653 + request_rec *r = (request_rec *)SSL_get_app_data2(ssl); 383 + server_rec *s = r ? r->server : c->base_server;654 + server_rec *s = r ? r->server : mySrvFromConn(c); 384 655 SSLSrvConfigRec *sc = mySrvConfig(s); 385 656 SSLConnRec *sslconn = myConnConfig(c); 386 657 modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); 387 @@ -1819,3 +1910,141 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A 658 @@ -1515,7 +1631,7 @@ static void modssl_proxy_info_log(server_rec *s, 659 int ssl_callback_proxy_cert(SSL *ssl, MODSSL_CLIENT_CERT_CB_ARG_TYPE **x509, EVP_PKEY **pkey) 660 { 661 conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); 662 - server_rec *s = c->base_server; 663 + server_rec *s = mySrvFromConn(c); 664 SSLSrvConfigRec *sc = mySrvConfig(s); 665 X509_NAME *ca_name, *issuer; 666 X509_INFO *info; 667 @@ -1613,7 +1729,7 @@ int ssl_callback_NewSessionCacheEntry(SSL *ssl, SS 668 { 669 /* Get Apache context back through OpenSSL context */ 670 conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); 671 - server_rec *s = conn->base_server; 672 + server_rec *s = mySrvFromConn(conn); 673 SSLSrvConfigRec *sc = mySrvConfig(s); 674 long timeout = sc->session_cache_timeout; 675 BOOL rc; 676 @@ -1661,7 +1777,7 @@ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL 677 { 678 /* Get Apache context back through OpenSSL context */ 679 conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); 680 - server_rec *s = conn->base_server; 681 + server_rec *s = mySrvFromConn(conn); 682 SSL_SESSION *session; 683 684 /* 685 @@ -1739,7 +1855,7 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A 686 return; 687 } 688 689 - s = c->base_server; 690 + s = mySrvFromConn(c); 691 if (!(sc = mySrvConfig(s))) { 692 return; 693 } 694 @@ -1810,3 +1926,138 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A 388 695 } 389 696 } … … 434 741 + apr_array_header_t *names; 435 742 + int i; 743 + SSLConnRec *sslcon; 436 744 + 437 745 + /* check ServerName */ … … 476 784 + 477 785 + /* set SSL_CTX (if matched) */ 478 + if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) && 786 + sslcon = myConnConfig(c); 787 + if (found && (ssl = sslcon->ssl) && 479 788 + (sc = mySrvConfig(s))) { 480 789 + SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx); … … 499 808 + 500 809 + /* 501 + * We also need to make sure that the correct mctx 502 + * (accessed through the c->base_server->module_config vector) 503 + * is assigned to the connection - the CRL callback e.g. 504 + * makes use of it for retrieving its store (mctx->crl). 505 + * Since logging in callbacks uses c->base_server in many 506 + * cases, it also ensures that these messages are routed 507 + * to the proper log. 810 + * Save the found server into our SSLConnRec for later 811 + * retrieval 508 812 + */ 509 + c->base_server = s;813 + sslcon->server = s; 510 814 + 511 815 + /* … … 516 820 + * we need to set that callback here. 517 821 + */ 518 + if ( c->base_server->loglevel >= APLOG_DEBUG) {822 + if (s->loglevel >= APLOG_DEBUG) { 519 823 + BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); 520 824 + BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); … … 527 831 +} 528 832 +#endif 529 Index: httpd-2.2. x/modules/ssl/ssl_toolkit_compat.h833 Index: httpd-2.2.11/modules/ssl/mod_ssl.c 530 834 =================================================================== 531 --- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 763153) 532 +++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy) 835 --- httpd-2.2.11/modules/ssl/mod_ssl.c (revision 768863) 836 +++ httpd-2.2.11/modules/ssl/mod_ssl.c (working copy) 837 @@ -145,6 +145,10 @@ static const command_rec ssl_config_cmds[] = { 838 "Use the server's cipher ordering preference") 839 SSL_CMD_ALL(UserName, TAKE1, 840 "Set user name to SSL variable value") 841 +#ifndef OPENSSL_NO_TLSEXT 842 + SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, 843 + "Strict SNI virtual host checking") 844 +#endif 845 846 /* 847 * Proxy configuration for remote SSL connections 848 @@ -295,6 +299,8 @@ static SSLConnRec *ssl_init_connection_ctx(conn_re 849 850 sslconn = apr_pcalloc(c->pool, sizeof(*sslconn)); 851 852 + sslconn->server = c->base_server; 853 + 854 myConnConfigSet(c, sslconn); 855 856 return sslconn; 857 @@ -302,9 +308,10 @@ static SSLConnRec *ssl_init_connection_ctx(conn_re 858 859 int ssl_proxy_enable(conn_rec *c) 860 { 861 - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); 862 + SSLSrvConfigRec *sc; 863 864 SSLConnRec *sslconn = ssl_init_connection_ctx(c); 865 + sc = mySrvConfig(sslconn->server); 866 867 if (!sc->proxy_enabled) { 868 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, 869 @@ -322,10 +329,16 @@ int ssl_proxy_enable(conn_rec *c) 870 871 int ssl_engine_disable(conn_rec *c) 872 { 873 - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); 874 + SSLSrvConfigRec *sc; 875 876 - SSLConnRec *sslconn; 877 + SSLConnRec *sslconn = myConnConfig(c); 878 879 + if (sslconn) { 880 + sc = mySrvConfig(sslconn->server); 881 + } 882 + else { 883 + sc = mySrvConfig(c->base_server); 884 + } 885 if (sc->enabled == SSL_ENABLED_FALSE) { 886 return 0; 887 } 888 @@ -339,21 +352,24 @@ int ssl_engine_disable(conn_rec *c) 889 890 int ssl_init_ssl_connection(conn_rec *c) 891 { 892 - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); 893 + SSLSrvConfigRec *sc; 894 SSL *ssl; 895 SSLConnRec *sslconn = myConnConfig(c); 896 char *vhost_md5; 897 modssl_ctx_t *mctx; 898 + server_rec *server; 899 900 + if (!sslconn) { 901 + sslconn = ssl_init_connection_ctx(c); 902 + } 903 + server = sslconn->server; 904 + sc = mySrvConfig(server); 905 + 906 /* 907 * Seed the Pseudo Random Number Generator (PRNG) 908 */ 909 - ssl_rand_seed(c->base_server, c->pool, SSL_RSCTX_CONNECT, ""); 910 + ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT, ""); 911 912 - if (!sslconn) { 913 - sslconn = ssl_init_connection_ctx(c); 914 - } 915 - 916 mctx = sslconn->is_proxy ? sc->proxy : sc->server; 917 918 /* 919 @@ -365,7 +381,7 @@ int ssl_init_ssl_connection(conn_rec *c) 920 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, 921 "Unable to create a new SSL connection from the SSL " 922 "context"); 923 - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); 924 + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); 925 926 c->aborted = 1; 927 928 @@ -380,7 +396,7 @@ int ssl_init_ssl_connection(conn_rec *c) 929 { 930 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, 931 "Unable to set session id context to `%s'", vhost_md5); 932 - ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, c->base_server); 933 + ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, server); 934 935 c->aborted = 1; 936 937 @@ -429,9 +445,15 @@ static apr_port_t ssl_hook_default_port(const requ 938 939 static int ssl_hook_pre_connection(conn_rec *c, void *csd) 940 { 941 - SSLSrvConfigRec *sc = mySrvConfig(c->base_server); 942 + SSLSrvConfigRec *sc; 943 SSLConnRec *sslconn = myConnConfig(c); 944 945 + if (sslconn) { 946 + sc = mySrvConfig(sslconn->server); 947 + } 948 + else { 949 + sc = mySrvConfig(c->base_server); 950 + } 951 /* 952 * Immediately stop processing if SSL is disabled for this connection 953 */ 954 Index: httpd-2.2.11/modules/ssl/ssl_toolkit_compat.h 955 =================================================================== 956 --- httpd-2.2.11/modules/ssl/ssl_toolkit_compat.h (revision 768863) 957 +++ httpd-2.2.11/modules/ssl/ssl_toolkit_compat.h (working copy) 533 958 @@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *data); 534 959 #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP … … 544 969 545 970 /** @} */ 971 Index: httpd-2.2.11/docs/manual/mod/mod_ssl.html.en 972 =================================================================== 973 --- httpd-2.2.11/docs/manual/mod/mod_ssl.html.en (revision 768863) 974 +++ httpd-2.2.11/docs/manual/mod/mod_ssl.html.en (working copy) 975 @@ -75,6 +75,7 @@ to provide the cryptography engine.</p> 976 <li><img alt="" src="../images/down.gif" /> <a href="#sslrequiressl">SSLRequireSSL</a></li> 977 <li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncache">SSLSessionCache</a></li> 978 <li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncachetimeout">SSLSessionCacheTimeout</a></li> 979 +<li><img alt="" src="../images/down.gif" /> <a href="#sslstrictsnivhostcheck">SSLStrictSNIVHostCheck</a></li> 980 <li><img alt="" src="../images/down.gif" /> <a href="#sslusername">SSLUserName</a></li> 981 <li><img alt="" src="../images/down.gif" /> <a href="#sslverifyclient">SSLVerifyClient</a></li> 982 <li><img alt="" src="../images/down.gif" /> <a href="#sslverifydepth">SSLVerifyDepth</a></li> 983 @@ -1613,6 +1614,37 @@ SSLSessionCacheTimeout 600 984 985 </div> 986 <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 987 +<div class="directive-section"><h2><a name="SSLStrictSNIVHostCheck" id="SSLStrictSNIVHostCheck">SSLStrictSNIVHostCheck</a> <a name="sslstrictsnivhostcheck" id="sslstrictsnivhostcheck">Directive</a></h2> 988 +<table class="directive"> 989 +<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Whether to allow non SNI clients to access a name based virtual 990 +host. 991 +</td></tr> 992 +<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLStrictSNIVHostCheck on|off</code></td></tr> 993 +<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLStrictSNIVHostCheck off</code></td></tr> 994 +<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> 995 +<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> 996 +<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr> 997 +</table> 998 +<p> 999 +This directive sets whether a non SNI client is allowed to access a name based 1000 +virtual host. If set to <code>on</code> in the non default name based virtual 1001 +host, non SNI clients are not allowed to access this particular virtual host. 1002 +If set to <code>on</code> in the default name based virtual host, non SNI 1003 +clients are not allowed to access any name based virtual host belonging to 1004 +this IP / port combination. 1005 +</p> 1006 + 1007 +<div class="warning"><p> 1008 +This option is only available if httpd was compiled against an SNI capable 1009 +version of OpenSSL. 1010 +</p></div> 1011 + 1012 +<div class="example"><h3>Example</h3><p><code> 1013 +SSLStrictSNIVHostCheck on 1014 +</code></p></div> 1015 + 1016 +</div> 1017 +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> 1018 <div class="directive-section"><h2><a name="SSLUserName" id="SSLUserName">SSLUserName</a> <a name="sslusername" id="sslusername">Directive</a></h2> 1019 <table class="directive"> 1020 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Variable name to determine user name</td></tr> 1021 @@ -1717,6 +1749,6 @@ SSLVerifyDepth 10 1022 <div class="bottomlang"> 1023 <p><span>Available Languages: </span><a href="../en/mod/mod_ssl.html" title="English"> en </a></p> 1024 </div><div id="footer"> 1025 -<p class="apache">Copyright 2008 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 1026 +<p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> 1027 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div> 1028 </body></html>
Note: See TracChangeset
for help on using the changeset viewer.