]> granicus.if.org Git - apache/commitdiff
projects / apache / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d574636)
Merge r1375584 from trunk:
authorJim Jagielski <jim@apache.org>
Fri, 21 Sep 2012 15:10:12 +0000 (15:10 +0000)
committerJim Jagielski <jim@apache.org>
Fri, 21 Sep 2012 15:10:12 +0000 (15:10 +0000)
* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a
  wildcard common name match.

PR: 53006

Submitted by: jorton
Reviewed/backported by: jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1388547 13f79535-47bb-0310-9956-ffa450edef68

CHANGES patch | blob | history
modules/ssl/ssl_engine_io.c patch | blob | history

diff --git a/CHANGES b/CHANGES
index 6f81b343d5517999c3fd4c79e777209c995e3c86..65a306a7ec4c30d25b17010e44390a6ddd92a302 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,11 +2,13 @@
 
 Changes with Apache 2.4.4
 
+  *) mod_ssl: Match wildcard SSL certificate names in proxy mode.  
+     PR 53006.  [Joe Orton]
+
   *) Windows: Fix output of -M, -L, and similar command-line options
      which display information about the server configuration.
      [Jeff Trawick]
 
-
 Changes with Apache 2.4.3
 
   *) SECURITY: CVE-2012-3502  (cve.mitre.org)
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 510e16060dca21d541ae1b50ba8533fd1cf984f8..83f3ab7faa7c4475142cb6914d3bbff5966b9177 100644 (file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1112,11 +1112,22 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
         if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
             hostname_note) {
             const char *hostname;
+            int match = 0;
 
             hostname = ssl_var_lookup(NULL, server, c, NULL,
                                       "SSL_CLIENT_S_DN_CN");
             apr_table_unset(c->notes, "proxy-request-hostname");
-            if (strcasecmp(hostname, hostname_note)) {
+
+            /* Do string match or simplest wildcard match if that
+             * fails. */
+            match = strcasecmp(hostname, hostname_note) == 0;
+            if (!match && strncmp(hostname, "*.", 2) == 0) {
+                const char *p = ap_strchr_c(hostname_note, '.');
+                
+                match = p && strcasecmp(p, hostname + 1) == 0;
+            }
+
+            if (!match) {
                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005)
                               "SSL Proxy: Peer certificate CN mismatch:"
                               " Certificate CN: %s Requested hostname: %s",
Unnamed repository; edit this file 'description' to name the repository.