Changeset 816


Ignore:
Timestamp:
Aug 20, 2008, 3:49:58 AM (14 years ago)
Author:
andersk
Message:
Update the SNI patch for httpd 2.2.9, from
<http://sni.velox.ch/httpd-2.2.x-sni.diff>.
Location:
server
Files:
1 deleted
1 edited
1 moved

Legend:

Unmodified
Added
Removed
  • server/common/patches/httpd-2.2.x-sni.patch

    r814 r816  
    1 httpd-2.2.8-sni.patch - server name indication support for Apache 2.2
    2 (see RFC 4366, "Transport Layer Security (TLS) Extensions")
     1# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
     2# (see RFC 4366, "Transport Layer Security (TLS) Extensions")
    33
    4 based on a patch from the EdelKey project
    5 (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
     4# based on a patch from the EdelKey project
     5# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
    66
    7 Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
    8 to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions
    9 must be configured explicitly for TLS extension support at compile time
    10 ("./config enable-tlsext").
     7# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
     8# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions
     9# must be configured explicitly for TLS extension support at compile time
     10# ("./config enable-tlsext").
    1111
    1212Index: httpd-2.2.x/modules/ssl/ssl_private.h
    1313===================================================================
    14 --- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 627519)
     14--- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 663014)
    1515+++ httpd-2.2.x/modules/ssl/ssl_private.h       (working copy)
    1616@@ -35,6 +35,7 @@
     
    2222 #include "util_filter.h"
    2323 #include "util_ebcdic.h"
    24 @@ -555,6 +556,9 @@
     24@@ -555,6 +556,9 @@ int          ssl_callback_NewSessionCach
    2525 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
    2626 void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
     
    3434Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
    3535===================================================================
    36 --- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 627519)
     36--- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 663014)
    3737+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c   (working copy)
    38 @@ -355,6 +355,33 @@
     38@@ -355,6 +355,33 @@ static void ssl_init_server_check(server
    3939     }
    4040 }
     
    7070                                   apr_pool_t *p,
    7171                                   apr_pool_t *ptemp,
    72 @@ -687,6 +714,9 @@
     72@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s,
    7373     if (mctx->pks) {
    7474         /* XXX: proxy support? */
     
    8080 }
    8181 
    82 @@ -1038,7 +1068,11 @@
     82@@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b
     83         klen = strlen(key);
     84 
    8385         if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
    84              ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
     86-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
     87+            ap_log_error(APLOG_MARK,
     88+#ifdef OPENSSL_NO_TLSEXT
     89+                         APLOG_WARNING,
     90+#else
     91+                         APLOG_DEBUG,
     92+#endif
     93+                         0,
    8594                          base_server,
    8695+#ifdef OPENSSL_NO_TLSEXT
     
    92101                          ssl_util_vhostid(p, s),
    93102                          (s->defn_name ? s->defn_name : "unknown"),
    94 @@ -1055,8 +1089,14 @@
     103@@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b
    95104 
    96105     if (conflict) {
     
    109118Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c
    110119===================================================================
    111 --- httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (revision 627519)
     120--- httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (revision 663014)
    112121+++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (working copy)
    113 @@ -320,6 +320,12 @@
     122@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool
    114123     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
    115124         result = ssl_var_lookup_ssl_compress_meth(ssl);
     
    126135Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
    127136===================================================================
    128 --- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 627519)
     137--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014)
    129138+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
    130139@@ -31,6 +31,9 @@
     
    138147 /*
    139148  *  Post Read Request Handler
    140 @@ -39,6 +42,9 @@
     149@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r)
    141150 {
    142151     SSLConnRec *sslconn = myConnConfig(r->connection);
     
    148157     if (!sslconn) {
    149158         return DECLINED;
    150 @@ -87,6 +93,14 @@
     159@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r)
    151160     if (!ssl) {
    152161         return DECLINED;
     
    163172 
    164173     /*
    165 @@ -997,6 +1011,9 @@
     174@@ -252,7 +266,7 @@ int ssl_hook_Access(request_rec *r)
     175      *   has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
     176      *   implicit optimizations.
     177      */
     178-    if (dc->szCipherSuite) {
     179+    if (dc->szCipherSuite || (r->server != r->connection->base_server)) {
     180         /* remember old state */
     181 
     182         if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
     183@@ -267,7 +281,10 @@ int ssl_hook_Access(request_rec *r)
     184         }
     185 
     186         /* configure new state */
     187-        if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
     188+        if ((dc->szCipherSuite &&
     189+             !modssl_set_cipher_list(ssl, dc->szCipherSuite)) ||
     190+            (sc->server->auth.cipher_suite &&
     191+             !modssl_set_cipher_list(ssl, sc->server->auth.cipher_suite))) {
     192             ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
     193                          r->server,
     194                          "Unable to reconfigure (per-directory) "
     195@@ -334,8 +351,13 @@ int ssl_hook_Access(request_rec *r)
     196             sk_SSL_CIPHER_free(cipher_list_old);
     197         }
     198 
     199-        /* tracing */
     200         if (renegotiate) {
     201+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
     202+            if (sc->cipher_server_pref == TRUE) {
     203+                SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
     204+            }
     205+#endif
     206+            /* tracing */
     207             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
     208                          "Reconfigured cipher suite will force renegotiation");
     209         }
     210@@ -353,14 +375,16 @@ int ssl_hook_Access(request_rec *r)
     211      * currently active/remembered verify depth (because this means more
     212      * restriction on the certificate chain).
     213      */
     214-    if (dc->nVerifyDepth != UNSET) {
     215+    if ((dc->nVerifyDepth != UNSET) ||
     216+        (sc->server->auth.verify_depth != UNSET)) {
     217         /* XXX: doesnt look like sslconn->verify_depth is actually used */
     218         if (!(n = sslconn->verify_depth)) {
     219             sslconn->verify_depth = n = sc->server->auth.verify_depth;
     220         }
     221 
     222         /* determine whether a renegotiation has to be forced */
     223-        if (dc->nVerifyDepth < n) {
     224+        if ((dc->nVerifyDepth < n) ||
     225+            (sc->server->auth.verify_depth < n)) {
     226             renegotiate = TRUE;
     227             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
     228                          "Reduced client verification depth will force "
     229@@ -382,18 +406,22 @@ int ssl_hook_Access(request_rec *r)
     230      * verification but at least skip the I/O-intensive renegotation
     231      * handshake.
     232      */
     233-    if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
     234+    if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
     235+        (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
     236         /* remember old state */
     237         verify_old = SSL_get_verify_mode(ssl);
     238         /* configure new state */
     239         verify = SSL_VERIFY_NONE;
     240 
     241-        if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
     242+        if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
     243+            (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) {
     244             verify |= SSL_VERIFY_PEER_STRICT;
     245         }
     246 
     247         if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
     248-            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
     249+            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
     250+            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
     251+            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
     252         {
     253             verify |= SSL_VERIFY_PEER;
     254         }
     255@@ -491,6 +519,40 @@ int ssl_hook_Access(request_rec *r)
     256                      "Changed client verification locations will force "
     257                      "renegotiation");
     258     }
     259+#else
     260+#ifndef OPENSSL_NO_TLSEXT
     261+#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
     262+    (sc1->server->auth.f && \
     263+     (!sc2->server->auth.f || \
     264+      sc2->server->auth.f && strNE(sc1->server->auth.f, sc2->server->auth.f)))
     265+
     266+    /* If we're handling a request for a vhost other than the default one,
     267+     * then we need to make sure that client authentication is properly
     268+     * enforced. For clients supplying an SNI extension, the peer certificate
     269+     * verification has happened in the handshake already (and r->server
     270+     * has been set to r->connection->base_server). For non-SNI requests,
     271+     * an additional check is needed here. If client authentication is
     272+     * configured as mandatory, then we can only proceed if the CA list
     273+     * doesn't have to be changed (SSL_set_cert_store() would be required
     274+     * for this).
     275+     */
     276+    if ((r->server != r->connection->base_server) &&
     277+        (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
     278+        renegotiate &&
     279+        !(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
     280+        SSLSrvConfigRec *bssc = mySrvConfig(r->connection->base_server);
     281+
     282+        if (MODSSL_CFG_CA_NE(ca_cert_file, sc, bssc) ||
     283+            MODSSL_CFG_CA_NE(ca_cert_path, sc, bssc)) {
     284+            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
     285+                 "Non-default virtual host with SSLVerify set to 'require' "
     286+                 "and VirtualHost-specific CA certificate list is only "
     287+                 "supported for clients with TLS server name indication "
     288+                 "(SNI) support");
     289+            return HTTP_FORBIDDEN;
     290+        }
     291+    }
     292+#endif /* OPENSSL_NO_TLSEXT */
     293 #endif /* HAVE_SSL_SET_CERT_STORE */
     294 
     295     /* If a renegotiation is now required for this location, and the
     296@@ -666,8 +728,10 @@ int ssl_hook_Access(request_rec *r)
     297         /*
     298          * Finally check for acceptable renegotiation results
     299          */
     300-        if (dc->nVerifyClient != SSL_CVERIFY_NONE) {
     301-            BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE);
     302+        if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
     303+            (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
     304+            BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
     305+                              (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
     306 
     307             if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
     308                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
     309@@ -997,6 +1061,9 @@ int ssl_hook_Fixup(request_rec *r)
    166310     SSLDirConfigRec *dc = myDirConfig(r);
    167311     apr_table_t *env = r->subprocess_env;
     
    173317     SSL *ssl;
    174318     int i;
    175 @@ -1018,6 +1035,13 @@
     319@@ -1018,6 +1085,13 @@ int ssl_hook_Fixup(request_rec *r)
    176320     /* the always present HTTPS (=HTTP over SSL) flag! */
    177321     apr_table_setn(env, "HTTPS", "on");
     
    187331     if (dc->nOptions & SSL_OPT_STDENVVARS) {
    188332         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
    189 @@ -1810,3 +1834,136 @@
     333@@ -1166,8 +1240,8 @@ int ssl_callback_SSLVerify(int ok, X509_
     334     SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
     335                                           SSL_get_ex_data_X509_STORE_CTX_idx());
     336     conn_rec *conn      = (conn_rec *)SSL_get_app_data(ssl);
     337-    server_rec *s       = conn->base_server;
     338     request_rec *r      = (request_rec *)SSL_get_app_data2(ssl);
     339+    server_rec *s       = r ? r->server : conn->base_server;
     340 
     341     SSLSrvConfigRec *sc = mySrvConfig(s);
     342     SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
     343@@ -1290,7 +1364,10 @@ int ssl_callback_SSLVerify(int ok, X509_
     344 
     345 int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
     346 {
     347-    server_rec *s       = c->base_server;
     348+    SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
     349+                                          SSL_get_ex_data_X509_STORE_CTX_idx());
     350+    request_rec *r      = (request_rec *)SSL_get_app_data2(ssl);
     351+    server_rec *s       = r ? r->server : c->base_server;
     352     SSLSrvConfigRec *sc = mySrvConfig(s);
     353     SSLConnRec *sslconn = myConnConfig(c);
     354     modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
     355@@ -1810,3 +1887,141 @@ void ssl_callback_LogTracingState(MODSSL
    190356     }
    191357 }
     
    301467+
    302468+        /*
    303 +         * We also need to make sure that the correct mctx is
    304 +         * assigned to the connection - the CRL callback e.g.
     469+         * We also need to make sure that the correct mctx
     470+         * (accessed through the c->base_server->module_config vector)
     471+         * is assigned to the connection - the CRL callback e.g.
    305472+         * makes use of it for retrieving its store (mctx->crl).
    306473+         * Since logging in callbacks uses c->base_server in many
    307474+         * cases, it also ensures that these messages are routed
    308 +         * to the proper log. And finally, there is one special
    309 +         * filter callback, which is set very early depending on the
    310 +         * base_server's log level. If this is not the first vhost
    311 +         * we're now selecting (and the first vhost doesn't use
    312 +         * APLOG_DEBUG), then we need to set that callback here.
     475+         * to the proper log.
    313476+         */
    314477+        c->base_server = s;
     478+
     479+        /*
     480+         * There is one special filter callback, which is set
     481+         * very early depending on the base_server's log level.
     482+         * If this is not the first vhost we're now selecting
     483+         * (and the first vhost doesn't use APLOG_DEBUG), then
     484+         * we need to set that callback here.
     485+         */
    315486+        if (c->base_server->loglevel >= APLOG_DEBUG) {
    316487+            BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
     
    326497Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
    327498===================================================================
    328 --- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (revision 627519)
     499--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (revision 663014)
    329500+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (working copy)
    330 @@ -264,6 +264,12 @@
     501@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *
    331502 #define SSL_SESS_CACHE_NO_INTERNAL  SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
    332503 #endif
  • server/fedora/specs/httpd.spec.patch

    r810 r816  
    66 
    77+Patch1000: httpd-suexec-scripts.patch
    8 +Patch1001: httpd-2.2.8-sni.patch
     8+Patch1001: httpd-2.2.x-sni.patch
    99+Patch1003: httpd-2.2.x-mod_status-security.patch
    1010+
Note: See TracChangeset for help on using the changeset viewer.