Loading CHANGES +3 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,9 @@ Changes with Apache 2.3.15 PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, <lowprio20 gmail.com>] *) mod_ssl/proxy: enable the SNI extension for backend TLS connections [Kaspar Brand] *) Add wrappers for malloc, calloc, realloc that check for out of memory situations and use them in many places. PR 51568, PR 51569, PR 51571. [Stefan Fritsch] Loading modules/ssl/ssl_engine_io.c +34 −5 Original line number Diff line number Diff line Loading @@ -1040,9 +1040,39 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) server = sslconn->server; if (sslconn->is_proxy) { const char *hostname_note; #ifndef OPENSSL_NO_TLSEXT apr_ipsubnet_t *ip; #endif const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); sc = mySrvConfig(server); #ifndef OPENSSL_NO_TLSEXT /* * Enable SNI for backend requests. Make sure we don't do it for * pure SSLv2 or SSLv3 connections, and also prevent IP addresses * from being included in the SNI extension. (OpenSSL would simply * pass them on, but RFC 6066 is quite clear on this: "Literal * IPv4 and IPv6 addresses are not permitted".) */ if (hostname_note && sc->proxy->protocol != SSL_PROTOCOL_SSLV2 && sc->proxy->protocol != SSL_PROTOCOL_SSLV3 && apr_ipsubnet_create(&ip, hostname_note, NULL, c->pool) != APR_SUCCESS) { if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) { ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, "SNI extension for SSL Proxy request set to '%s'", hostname_note); } else { ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, "Failed to set SNI extension for SSL Proxy " "request to '%s'", hostname_note); ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server); } } #endif if ((n = SSL_connect(filter_ctx->pssl)) <= 0) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL Proxy connect failed"); Loading Loading @@ -1072,9 +1102,8 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) } X509_free(cert); } if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) { if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && hostname_note) { const char *hostname; hostname = ssl_var_lookup(NULL, server, c, NULL, Loading Loading
CHANGES +3 −0 Original line number Diff line number Diff line Loading @@ -12,6 +12,9 @@ Changes with Apache 2.3.15 PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener, <lowprio20 gmail.com>] *) mod_ssl/proxy: enable the SNI extension for backend TLS connections [Kaspar Brand] *) Add wrappers for malloc, calloc, realloc that check for out of memory situations and use them in many places. PR 51568, PR 51569, PR 51571. [Stefan Fritsch] Loading
modules/ssl/ssl_engine_io.c +34 −5 Original line number Diff line number Diff line Loading @@ -1040,9 +1040,39 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) server = sslconn->server; if (sslconn->is_proxy) { const char *hostname_note; #ifndef OPENSSL_NO_TLSEXT apr_ipsubnet_t *ip; #endif const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); sc = mySrvConfig(server); #ifndef OPENSSL_NO_TLSEXT /* * Enable SNI for backend requests. Make sure we don't do it for * pure SSLv2 or SSLv3 connections, and also prevent IP addresses * from being included in the SNI extension. (OpenSSL would simply * pass them on, but RFC 6066 is quite clear on this: "Literal * IPv4 and IPv6 addresses are not permitted".) */ if (hostname_note && sc->proxy->protocol != SSL_PROTOCOL_SSLV2 && sc->proxy->protocol != SSL_PROTOCOL_SSLV3 && apr_ipsubnet_create(&ip, hostname_note, NULL, c->pool) != APR_SUCCESS) { if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) { ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, "SNI extension for SSL Proxy request set to '%s'", hostname_note); } else { ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, "Failed to set SNI extension for SSL Proxy " "request to '%s'", hostname_note); ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server); } } #endif if ((n = SSL_connect(filter_ctx->pssl)) <= 0) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL Proxy connect failed"); Loading Loading @@ -1072,9 +1102,8 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) } X509_free(cert); } if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) { if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && hostname_note) { const char *hostname; hostname = ssl_var_lookup(NULL, server, c, NULL, Loading