From: Jim Jagielski Date: Fri, 21 Sep 2012 15:10:12 +0000 (+0000) Subject: Merge r1375584 from trunk: X-Git-Tag: 2.4.4~580 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ca766524331bb389b66ea889dd2b3e8891ee4d1e;p=apache Merge r1375584 from trunk: * modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a wildcard common name match. PR: 53006 Submitted by: jorton Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1388547 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 6f81b343d5..65a306a7ec 100644 --- a/CHANGES +++ b/CHANGES @@ -2,11 +2,13 @@ Changes with Apache 2.4.4 + *) mod_ssl: Match wildcard SSL certificate names in proxy mode. + PR 53006. [Joe Orton] + *) Windows: Fix output of -M, -L, and similar command-line options which display information about the server configuration. [Jeff Trawick] - Changes with Apache 2.4.3 *) SECURITY: CVE-2012-3502 (cve.mitre.org) diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 510e16060d..83f3ab7faa 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1112,11 +1112,22 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && hostname_note) { const char *hostname; + int match = 0; hostname = ssl_var_lookup(NULL, server, c, NULL, "SSL_CLIENT_S_DN_CN"); apr_table_unset(c->notes, "proxy-request-hostname"); - if (strcasecmp(hostname, hostname_note)) { + + /* Do string match or simplest wildcard match if that + * fails. */ + match = strcasecmp(hostname, hostname_note) == 0; + if (!match && strncmp(hostname, "*.", 2) == 0) { + const char *p = ap_strchr_c(hostname_note, '.'); + + match = p && strcasecmp(p, hostname + 1) == 0; + } + + if (!match) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005) "SSL Proxy: Peer certificate CN mismatch:" " Certificate CN: %s Requested hostname: %s",