From c98a5c70ec8c8ec03e8ce039a168206724c843fc Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Fri, 18 Sep 2015 12:50:24 +0000
Subject: [PATCH] merged yann's patch to fix MISDIRECTED_REQUEST handling
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.17-protocols-http2@1703826 13f79535-47bb-0310-9956-ffa450edef68
---
modules/ssl/ssl_engine_kernel.c | 37 +++++++++++++--------------------
1 file changed, 15 insertions(+), 22 deletions(-)
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index cad7cc9e6f..73f904c50d 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -171,19 +171,18 @@ int ssl_hook_ReadReq(request_rec *r)
* original problem.
*/
if (r->proxyreq != PROXYREQ_PROXY && ap_is_initial_req(r)) {
- if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
- char *host, *scope_id;
- apr_port_t port;
- apr_status_t rv;
+ server_rec *handshakeserver = sslconn->server;
+ SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
/*
* The SNI extension supplied a hostname. So don't accept requests
- * with either no hostname or a different hostname as this could
- * cause us to end up in a different virtual host as the one that
- * was used for the handshake causing different SSL parameters to
- * be applied as SSLProtocol, SSLCACertificateFile/Path and
- * SSLCADNRequestFile/Path cannot be renegotiated (SSLCA* due
- * to current limitations in OpenSSL, see
+ * with either no hostname or a hostname that selected a different
+ * virtual host than the one used for the handshake, causing
+ * different SSL parameters to be applied, such as SSLProtocol,
+ * SSLCACertificateFile/Path and SSLCADNRequestFile/Path which
+ * cannot be renegotiated (SSLCA* due to current limitations in
+ * OpenSSL, see:
* http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3C48592955.2090303@velox.ch%3E
* and
* http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E
@@ -195,27 +194,21 @@ int ssl_hook_ReadReq(request_rec *r)
" provided in HTTP request", servername);
return HTTP_BAD_REQUEST;
}
- rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
- if (rv != APR_SUCCESS || scope_id) {
- return HTTP_BAD_REQUEST;
- }
- if (strcasecmp(host, servername)
- || !sslconn->server
- || !ssl_util_vhost_matches(host, sslconn->server)) {
+ if (r->server != handshakeserver) {
/*
* We are really not in Kansas anymore...
- * The request hostname does not match the SNI and does not
- * select the virtual host that was selected by the SNI.
+ * The request does not select the virtual host that was
+ * selected by the SNI.
*/
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
"Hostname %s provided via SNI and hostname %s provided"
- " via HTTP are different", servername, host);
+ " via HTTP select a different server",
+ servername, r->hostname);
return HTTP_MISDIRECTED_REQUEST;
}
}
else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
- || (mySrvConfig(sslconn->server))->strict_sni_vhost_check
- == SSL_ENABLED_TRUE)
+ || hssc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
&& r->connection->vhost_lookup_data) {
/*
* We are using a name based configuration here, but no hostname was
--
GitLab