mod_ssl/proxy: enable the SNI extension for backend TLS connections (b200f289) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+6 −3

Original line number	Diff line number	Diff line
		@@ -17,12 +17,12 @@ Changes with Apache 2.2.25
		*) mod_setenvif: Log error on substitution overflow.
		[Stefan Fritsch]

		*) mod_ssl/proxy: enable the SNI extension for backend TLS connections
		[Kaspar Brand]

		*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
		in the error log to debug level. [William Rowe]

		*) htdigest: Fix buffer overflow when reading digest password file
		with very long lines. PR 54893. [Rainer Jung]

		*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
		with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
		[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
		@@ -31,6 +31,9 @@ Changes with Apache 2.2.25
		admin to configure an IO timeout as an error in the balancer.
		[Daniel Ruggeri]

		*) htdigest: Fix buffer overflow when reading digest password file
		with very long lines. PR 54893. [Rainer Jung]

		*) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
		the source href (sent as part of the request body as XML) pointing to a
		URI that is not configured for DAV will trigger a segfault. [Ben Reser

STATUS

+0 −5

Original line number	Diff line number	Diff line
		@@ -96,11 +96,6 @@ RELEASE SHOWSTOPPERS:
		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

		* mod_ssl/proxy: enable the SNI extension for backend TLS connections
		[Kaspar Brand]
		2.2.x patch: http://people.apache.org/~rjung/patches/r1175416-2.0-v2.patch
		+1: wrowe, rjung, trawick

		* mod_proxy_http: Use the same hostname for SNI as for the HTTP request when
		forwarding to SSL backends.
		PR: 53134

modules/ssl/ssl_engine_io.c

+33 −4

Original line number	Diff line number	Diff line
		@@ -1063,9 +1063,39 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)

		server = sslconn->server;
		if (sslconn->is_proxy) {
		const char *hostname_note;

		#ifndef OPENSSL_NO_TLSEXT
		apr_ipsubnet_t *ip;
		#endif
		const char *hostname_note = apr_table_get(c->notes,
		"proxy-request-hostname");
		sc = mySrvConfig(server);

		#ifndef OPENSSL_NO_TLSEXT
		/*
		* Enable SNI for backend requests. Make sure we don't do it for
		* pure SSLv2 or SSLv3 connections, and also prevent IP addresses
		* from being included in the SNI extension. (OpenSSL would simply
		* pass them on, but RFC 6066 is quite clear on this: "Literal
		* IPv4 and IPv6 addresses are not permitted".)
		*/
		if (hostname_note &&
		sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
		sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
		apr_ipsubnet_create(&ip, hostname_note, NULL,
		c->pool) != APR_SUCCESS) {
		if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
		ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
		"SNI extension for SSL Proxy request set to '%s'",
		hostname_note);
		} else {
		ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c,
		"Failed to set SNI extension for SSL Proxy "
		"request to '%s'", hostname_note);
		ssl_log_ssl_error(APLOG_MARK, APLOG_WARNING, server);
		}
		}
		#endif

		if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
		ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
		"SSL Proxy connect failed");
		@@ -1096,8 +1126,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
		X509_free(cert);
		}
		if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE)
		&& ((hostname_note =
		apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) {
		&& hostname_note) {
		const char *hostname;

		hostname = ssl_var_lookup(NULL, server, c, NULL,