From fe07b16cc2d5d7040aa88486c0d04733f98b9560 Mon Sep 17 00:00:00 2001 From: Jeff Trawick Date: Sat, 12 Jul 2014 13:26:42 +0000 Subject: [PATCH] Perform SNI checks only on the initial request. In particular, if these checks detect a problem, the checks shouldn't return an error again when processing an ErrorDocument redirect for the original problem. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1609914 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/ssl/ssl_engine_kernel.c | 8 +++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index ea97bd1f34..9f4c6ecf94 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Fix issue with redirects to error documents when handling + SNI errors. [Jeff Trawick] + *) mod_authnz_ldap: Return LDAP connections to the pool before the handler is run, instead of waiting until the end of the request. [Eric Covener] diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 0207947d9c..ea1298a5b8 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -164,7 +164,13 @@ int ssl_hook_ReadReq(request_rec *r) return DECLINED; } #ifdef HAVE_TLSEXT - if (r->proxyreq != PROXYREQ_PROXY) { + /* + * Perform SNI checks only on the initial request. In particular, + * if these checks detect a problem, the checks shouldn't return an + * error again when processing an ErrorDocument redirect for the + * original problem. + */ + if (r->proxyreq != PROXYREQ_PROXY && ap_is_initial_req(r)) { if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { char *host, *scope_id; apr_port_t port; -- 2.40.0