Commit d632cc65 authored by Yann Ylavic's avatar Yann Ylavic
Browse files

Merge r1634120 from trunk: 

* Use the correct server name for SNI in case the backend SSL connection itself
  is established via a proxy server.

PR: 57139
Submitted by: Szabolcs Gyurko <szabolcs gyurko.org>

Committed by: rpluem
Backported by: ylavic
Reviewed by: ylavic, wrowe, covener, orlikowski


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1777779 13f79535-47bb-0310-9956-ffa450edef68
parent 7156a844

CHANGES

+4 −0
Original line number Diff line number Diff line
@@ -6,6 +6,10 @@ Changes with Apache 2.2.32 
     and request headers, to prevent response splitting and cache pollution by

     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]



  *) mod_proxy: Use the correct server name for SNI in case the backend

     SSL connection itself is established via a proxy server.

     PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]



  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.

     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]

modules/proxy/proxy_util.c

+4 −0
Original line number Diff line number Diff line
@@ -2319,6 +2319,10 @@ ap_proxy_determine_connection(apr_pool_t *p, request_rec *r, 
        if (conf->preserve_host) {

            ssl_hostname = r->hostname;

        }

        else if (conn->forward

                 && ((forward_info *)(conn->forward))->use_http_connect) {

            ssl_hostname = ((forward_info *)conn->forward)->target_host;

        }

        else {

            ssl_hostname = conn->hostname;

        }