From: Jeff Trawick Date: Mon, 14 Jul 2014 00:22:15 +0000 (+0000) Subject: Merge r1609914 from trunk: X-Git-Tag: 2.4.10~35 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=05a733abb4fac0b645615fc65ee840669ec03db5;p=apache Merge r1609914 from trunk: mod_ssl: Fix issue with redirects to error documents when handling SNI errors. Submitted by: trawick Reviewed by: minfrin, rjung git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1610326 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 8f7a52ac4a..1653c1157e 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,9 @@ Changes with Apache 2.4.10 + *) mod_ssl: Fix issue with redirects to error documents when handling + SNI errors. [Jeff Trawick] + *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer larger keys and support up to 8192-bit keys. [Ruediger Pluem, Joe Orton] diff --git a/STATUS b/STATUS index 0d38f56061..fe15441bc0 100644 --- a/STATUS +++ b/STATUS @@ -122,12 +122,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: ylavic: does not depend on r1572092 or r1572655 and al above, these proposals can be backported in any order. - * mod_ssl: Fix issue with redirects to error documents when handling - SNI errors. - trunk patch: http://svn.apache.org/r1609914 - 2.4.x patch: Trunk patch works modulo CHANGES. - +1: trawick, minfrin, rjung - * mod_ssl: Set an error note for requests rejected due to SSLStrictSNIVHostCheck trunk patch: http://svn.apache.org/r1609936 diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index a6ca7cc041..7a7348e45f 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -163,7 +163,13 @@ int ssl_hook_ReadReq(request_rec *r) return DECLINED; } #ifdef HAVE_TLSEXT - if (r->proxyreq != PROXYREQ_PROXY) { + /* + * Perform SNI checks only on the initial request. In particular, + * if these checks detect a problem, the checks shouldn't return an + * error again when processing an ErrorDocument redirect for the + * original problem. + */ + if (r->proxyreq != PROXYREQ_PROXY && ap_is_initial_req(r)) { if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { char *host, *scope_id; apr_port_t port;