-*- coding: utf-8 -*-
Changes with Apache 2.5.0
+ *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
+ no longer send warning-level unrecognized_name(112) alerts,
+ and limit startup warnings to cases where an OpenSSL version
+ without TLS extension support is used. PR 56241. [Kaspar Brand]
+
*) mod_proxy_html: Do not delete the wrong data from HTML code when a
"http-equiv" meta tag specifies a Content-Type behind any other
"http-equiv" meta tag. PR 56287 [Micha Lenk <micha lenk info>]
apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
{
- server_rec *s, *ps;
+ server_rec *s;
SSLSrvConfigRec *sc;
+#ifndef HAVE_TLSEXT
+ server_rec *ps;
apr_hash_t *table;
const char *key;
apr_ssize_t klen;
BOOL conflict = FALSE;
+#endif
/*
* Give out warnings when a server has HTTPS configured
}
}
+#ifndef HAVE_TLSEXT
/*
* Give out warnings when more than one SSL-aware virtual server uses the
- * same IP:port. This doesn't work because mod_ssl then will always use
- * just the certificate/keys of one virtual host (which one cannot be said
- * easily - but that doesn't matter here).
+ * same IP:port and an OpenSSL version without support for TLS extensions
+ * (SNI in particular) is used.
*/
table = apr_hash_make(p);
klen = strlen(key);
if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
-#ifndef HAVE_TLSEXT
- int level = APLOG_WARNING;
- const char *problem = "conflict";
-#else
- int level = APLOG_DEBUG;
- const char *problem = "overlap";
-#endif
- ap_log_error(APLOG_MARK, level, 0, base_server,
- "Init: SSL server IP/port %s: "
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
+ "Init: SSL server IP/port conflict: "
"%s (%s:%d) vs. %s (%s:%d)",
- problem, ssl_util_vhostid(p, s),
+ ssl_util_vhostid(p, s),
(s->defn_name ? s->defn_name : "unknown"),
s->defn_line_number,
ssl_util_vhostid(p, ps),
}
if (conflict) {
-#ifndef HAVE_TLSEXT
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
- "Init: You should not use name-based "
- "virtual hosts in conjunction with SSL!!");
-#else
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(02292)
- "Init: Name-based SSL virtual hosts only "
- "work for clients with TLS server name indication "
- "support (RFC 4366)");
-#endif
+ "Init: Name-based SSL virtual hosts require "
+ "an OpenSSL version with support for TLS extensions "
+ "(RFC 6066 - Server Name Indication / SNI), "
+ "but the currently used library version (%s) is "
+ "lacking this feature", SSLeay_version(SSLEAY_VERSION));
}
+#endif
return APR_SUCCESS;
}
#ifdef HAVE_TLSEXT
/*
* This callback function is executed when OpenSSL encounters an extended
- * client hello with a server name indication extension ("SNI", cf. RFC 4366).
+ * client hello with a server name indication extension ("SNI", cf. RFC 6066).
*/
int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
{
"No matching SSL virtual host for servername "
"%s found (using default/first virtual host)",
servername);
- return SSL_TLSEXT_ERR_ALERT_WARNING;
+ /*
+ * RFC 6066 section 3 says "It is NOT RECOMMENDED to send
+ * a warning-level unrecognized_name(112) alert, because
+ * the client's behavior in response to warning-level alerts
+ * is unpredictable."
+ *
+ * To maintain backwards compatibility in mod_ssl, we
+ * no longer send any alert (neither warning- nor fatal-level),
+ * i.e. we take the second action suggested in RFC 6066:
+ * "If the server understood the ClientHello extension but
+ * does not recognize the server name, the server SHOULD take
+ * one of two actions: either abort the handshake by sending
+ * a fatal-level unrecognized_name(112) alert or continue
+ * the handshake."
+ */
}
}
}
projects / apache / commitdiff