From: Stefan Eissing Date: Fri, 18 Sep 2015 12:42:53 +0000 (+0000) Subject: patch from yann that fixes MISDIRECTED_REQUEST handling for setups with ServerAlias... X-Git-Tag: 2.5.0-alpha~2829 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0ae671360d9292d62ba9d88ae2fb91ecd103e212;p=apache patch from yann that fixes MISDIRECTED_REQUEST handling for setups with ServerAlias/subjectAltNames git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1703822 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index ebd9bdfdc6..83bfb73f1c 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -172,19 +172,18 @@ int ssl_hook_ReadReq(request_rec *r) * original problem. */ if (r->proxyreq != PROXYREQ_PROXY && ap_is_initial_req(r)) { - if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { - char *host, *scope_id; - apr_port_t port; - apr_status_t rv; + server_rec *handshakeserver = sslconn->server; + SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver); + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { /* * The SNI extension supplied a hostname. So don't accept requests - * with either no hostname or a different hostname as this could - * cause us to end up in a different virtual host as the one that - * was used for the handshake causing different SSL parameters to - * be applied as SSLProtocol, SSLCACertificateFile/Path and - * SSLCADNRequestFile/Path cannot be renegotiated (SSLCA* due - * to current limitations in OpenSSL, see + * with either no hostname or a hostname that selected a different + * virtual host than the one used for the handshake, causing + * different SSL parameters to be applied, such as SSLProtocol, + * SSLCACertificateFile/Path and SSLCADNRequestFile/Path which + * cannot be renegotiated (SSLCA* due to current limitations in + * OpenSSL, see: * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3C48592955.2090303@velox.ch%3E * and * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E @@ -196,27 +195,21 @@ int ssl_hook_ReadReq(request_rec *r) " provided in HTTP request", servername); return HTTP_BAD_REQUEST; } - rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); - if (rv != APR_SUCCESS || scope_id) { - return HTTP_BAD_REQUEST; - } - if (strcasecmp(host, servername) - || !sslconn->server - || !ssl_util_vhost_matches(host, sslconn->server)) { + if (r->server != handshakeserver) { /* * We are really not in Kansas anymore... - * The request hostname does not match the SNI and does not - * select the virtual host that was selected by the SNI. + * The request does not select the virtual host that was + * selected by the SNI. */ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032) "Hostname %s provided via SNI and hostname %s provided" - " via HTTP are different", servername, host); + " via HTTP select a different server", + servername, r->hostname); return HTTP_MISDIRECTED_REQUEST; } } else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE) - || (mySrvConfig(sslconn->server))->strict_sni_vhost_check - == SSL_ENABLED_TRUE) + || hssc->strict_sni_vhost_check == SSL_ENABLED_TRUE) && r->connection->vhost_lookup_data) { /* * We are using a name based configuration here, but no hostname was