From: Yann Ylavic <ylavic@apache.org>
Date: Fri, 12 Jun 2015 11:33:22 +0000 (+0000)
Subject: http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code
X-Git-Tag: 2.5.0-alpha~3088
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=33d6aaf455bf6f5c151b3cb320f68f93fcecf93c;p=apache

http, mod_ssl: Introduce and return the 421 (Misdirected Request) status code
for clients requesting a hostname on a reused connection whose SNI (from the
TLS handshake) does not match.
PR 5802.

This allows HTTP/2 clients to fall back to a new connection as per:
https://tools.ietf.org/html/rfc7540#section-9.1.2

Proposed by: Stefan Eissing <stefan eissing.org>
Reviewed by: ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1685069 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/include/httpd.h b/include/httpd.h
index 14c8bebc9f..7f7300d7f0 100644
--- a/include/httpd.h
+++ b/include/httpd.h
@@ -519,6 +519,7 @@ AP_DECLARE(const char *) ap_get_server_built(void);
 #define HTTP_RANGE_NOT_SATISFIABLE           416
 #define HTTP_EXPECTATION_FAILED              417
 #define HTTP_IM_A_TEAPOT                     418
+#define HTTP_MISDIRECTED_REQUEST             421
 #define HTTP_UNPROCESSABLE_ENTITY            422
 #define HTTP_LOCKED                          423
 #define HTTP_FAILED_DEPENDENCY               424
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 8cdcc6e65f..25328d9dce 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -135,7 +135,7 @@ static const char * const status_lines[RESPONSE_CODES] =
     "418 I'm A Teapot",
     NULL, /* 419 */
     NULL, /* 420 */
-    NULL, /* 421 */
+    "421 Misdirected Request",
     "422 Unprocessable Entity",
     "423 Locked",
     "424 Failed Dependency",
@@ -1308,6 +1308,11 @@ static const char *get_canned_error_string(int status,
     case HTTP_IM_A_TEAPOT:
         return("<p>The resulting entity body MAY be short and\n"
                 "stout.</p>\n");
+    case HTTP_MISDIRECTED_REQUEST:
+        return("<p>The client needs a new connection for this\n"
+               "request as the requested host name does not match\n"
+               "the Server Name Indication (SNI) in use for this\n"
+               "connection.</p>\n");
     default:                    /* HTTP_INTERNAL_SERVER_ERROR */
         /*
          * This comparison to expose error-notes could be modified to
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 1df82fbd71..6b1dc3f237 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -204,6 +204,9 @@ int ssl_hook_ReadReq(request_rec *r)
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
                             "Hostname %s provided via SNI and hostname %s provided"
                             " via HTTP are different", servername, host);
+                if (r->connection->keepalives > 0) {
+                    return HTTP_MISDIRECTED_REQUEST;
+                }
                 return HTTP_BAD_REQUEST;
             }
         }