From cbba0dbc00fc8aebb4389bc0bdbe3e72544d6fd2 Mon Sep 17 00:00:00 2001 From: Kaspar Brand Date: Sat, 5 Apr 2014 12:57:43 +0000 Subject: [PATCH] Bring SNI behavior into better conformance with RFC 6066: - no longer send a warning-level unrecognized_name(112) alert when no matching vhost is found (PR 56241) - at startup, only issue warnings about IP/port conflicts and name-based SSL vhosts when running with an OpenSSL without TLS extension support (almost 5 years after SNI was added to 2.2.x, the "[...] only work for clients with TLS server name indication support" warning feels obsolete) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1585090 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ modules/ssl/ssl_engine_init.c | 39 ++++++++++++++------------------- modules/ssl/ssl_engine_kernel.c | 18 +++++++++++++-- 3 files changed, 37 insertions(+), 25 deletions(-) diff --git a/CHANGES b/CHANGES index 7be717ea1f..87e9629df2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: bring SNI behavior into better conformance with RFC 6066: + no longer send warning-level unrecognized_name(112) alerts, + and limit startup warnings to cases where an OpenSSL version + without TLS extension support is used. PR 56241. [Kaspar Brand] + *) mod_proxy_html: Do not delete the wrong data from HTML code when a "http-equiv" meta tag specifies a Content-Type behind any other "http-equiv" meta tag. PR 56287 [Micha Lenk ] diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index ed29b7fe0d..ab5fa5e51a 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1404,13 +1404,16 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s, apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) { - server_rec *s, *ps; + server_rec *s; SSLSrvConfigRec *sc; +#ifndef HAVE_TLSEXT + server_rec *ps; apr_hash_t *table; const char *key; apr_ssize_t klen; BOOL conflict = FALSE; +#endif /* * Give out warnings when a server has HTTPS configured @@ -1438,11 +1441,11 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) } } +#ifndef HAVE_TLSEXT /* * Give out warnings when more than one SSL-aware virtual server uses the - * same IP:port. This doesn't work because mod_ssl then will always use - * just the certificate/keys of one virtual host (which one cannot be said - * easily - but that doesn't matter here). + * same IP:port and an OpenSSL version without support for TLS extensions + * (SNI in particular) is used. */ table = apr_hash_make(p); @@ -1460,17 +1463,10 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) klen = strlen(key); if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { -#ifndef HAVE_TLSEXT - int level = APLOG_WARNING; - const char *problem = "conflict"; -#else - int level = APLOG_DEBUG; - const char *problem = "overlap"; -#endif - ap_log_error(APLOG_MARK, level, 0, base_server, - "Init: SSL server IP/port %s: " + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, + "Init: SSL server IP/port conflict: " "%s (%s:%d) vs. %s (%s:%d)", - problem, ssl_util_vhostid(p, s), + ssl_util_vhostid(p, s), (s->defn_name ? s->defn_name : "unknown"), s->defn_line_number, ssl_util_vhostid(p, ps), @@ -1484,17 +1480,14 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p) } if (conflict) { -#ifndef HAVE_TLSEXT ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917) - "Init: You should not use name-based " - "virtual hosts in conjunction with SSL!!"); -#else - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(02292) - "Init: Name-based SSL virtual hosts only " - "work for clients with TLS server name indication " - "support (RFC 4366)"); -#endif + "Init: Name-based SSL virtual hosts require " + "an OpenSSL version with support for TLS extensions " + "(RFC 6066 - Server Name Indication / SNI), " + "but the currently used library version (%s) is " + "lacking this feature", SSLeay_version(SSLEAY_VERSION)); } +#endif return APR_SUCCESS; } diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 7cd0762a28..db1ceba68f 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1918,7 +1918,7 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc) #ifdef HAVE_TLSEXT /* * This callback function is executed when OpenSSL encounters an extended - * client hello with a server name indication extension ("SNI", cf. RFC 4366). + * client hello with a server name indication extension ("SNI", cf. RFC 6066). */ int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) { @@ -1940,7 +1940,21 @@ int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) "No matching SSL virtual host for servername " "%s found (using default/first virtual host)", servername); - return SSL_TLSEXT_ERR_ALERT_WARNING; + /* + * RFC 6066 section 3 says "It is NOT RECOMMENDED to send + * a warning-level unrecognized_name(112) alert, because + * the client's behavior in response to warning-level alerts + * is unpredictable." + * + * To maintain backwards compatibility in mod_ssl, we + * no longer send any alert (neither warning- nor fatal-level), + * i.e. we take the second action suggested in RFC 6066: + * "If the server understood the ClientHello extension but + * does not recognize the server name, the server SHOULD take + * one of two actions: either abort the handshake by sending + * a fatal-level unrecognized_name(112) alert or continue + * the handshake." + */ } } } -- 2.40.0