From: Ruediger Pluem Date: Mon, 23 Mar 2009 10:51:00 +0000 (+0000) Subject: * If the SNI extension supplied a hostname. So don't accept requests with X-Git-Tag: 2.3.2~4 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d5897d537b311e5e26ed270e2c8288b27b0a976d;p=apache * If the SNI extension supplied a hostname. So don't accept requests with either no hostname or a different hostname. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@757373 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index ab5fb0db4e..0a2ea7be5a 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -160,11 +160,31 @@ int ssl_hook_ReadReq(request_rec *r) return DECLINED; } #ifndef OPENSSL_NO_TLSEXT - if (!r->hostname && - (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { - /* Use the SNI extension as the hostname if no Host: header was sent */ - r->hostname = apr_pstrdup(r->pool, servername); - ap_update_vhost_from_headers(r); + if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { + char *host, *scope_id; + apr_port_t port; + apr_status_t rv; + + /* + * The SNI extension supplied a hostname. So don't accept requests + * with either no hostname or a different hostname. + */ + if (!r->hostname) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Hostname %s provided via SNI, but no hostname" + " provided in HTTP request", servername); + return HTTP_BAD_REQUEST; + } + rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); + if (rv != APR_SUCCESS || scope_id) { + return HTTP_BAD_REQUEST; + } + if (strcmp(host, servername)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Hostname %s provided via SNI and hostname %s provided" + " via HTTP are different", servername, host); + return HTTP_BAD_REQUEST; + } } #endif SSL_set_app_data2(ssl, r);