Index: server/common/patches/httpd-2.2.x-sni.patch =================================================================== --- server/common/patches/httpd-2.2.x-sni.patch (revision 1101) +++ server/common/patches/httpd-2.2.x-sni.patch (revision 1102) @@ -1,16 +1,18 @@ -# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2 -# (see RFC 4366, "Transport Layer Security (TLS) Extensions") +httpd-2.2.x-sni.patch - server name indication support for Apache 2.2 +(see RFC 4366, "Transport Layer Security (TLS) Extensions") -# based on a patch from the EdelKey project -# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) +Last updated 2009-04-08 -# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later -# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions -# must be configured explicitly for TLS extension support at compile time -# ("./config enable-tlsext"). +based on a patch from the EdelKey project +(http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) + +Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later +to work properly (ftp://ftp.openssl.org/snapshot/). OpenSSL versions +prior to 0.9.8j must be configured explicitly for TLS extension support +at compile time ("./config enable-tlsext"). Index: httpd-2.2.x/modules/ssl/ssl_private.h =================================================================== ---- httpd-2.2.x/modules/ssl/ssl_private.h (revision 663014) +--- httpd-2.2.x/modules/ssl/ssl_private.h (revision 763153) +++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) @@ -35,6 +35,7 @@ @@ -22,5 +24,5 @@ #include "util_filter.h" #include "util_ebcdic.h" -@@ -555,6 +556,9 @@ int ssl_callback_NewSessionCach +@@ -562,6 +563,9 @@ int ssl_callback_NewSessionCacheEntry(SSL SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); @@ -34,7 +36,7 @@ Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c =================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 663014) +--- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 763153) +++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) -@@ -355,6 +355,33 @@ static void ssl_init_server_check(server +@@ -358,6 +358,33 @@ static void ssl_init_server_check(server_rec *s, } } @@ -70,5 +72,5 @@ apr_pool_t *p, apr_pool_t *ptemp, -@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s, +@@ -690,6 +717,9 @@ static void ssl_init_ctx(server_rec *s, if (mctx->pks) { /* XXX: proxy support? */ @@ -80,5 +82,5 @@ } -@@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b +@@ -1039,9 +1069,19 @@ void ssl_init_CheckServers(server_rec *base_server klen = strlen(key); @@ -101,5 +103,5 @@ ssl_util_vhostid(p, s), (s->defn_name ? s->defn_name : "unknown"), -@@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b +@@ -1058,8 +1098,14 @@ void ssl_init_CheckServers(server_rec *base_server if (conflict) { @@ -118,7 +120,7 @@ Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c =================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 663014) +--- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 763153) +++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy) -@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool +@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, con else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { result = ssl_var_lookup_ssl_compress_meth(ssl); @@ -135,5 +137,5 @@ Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c =================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014) +--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 763153) +++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) @@ -31,6 +31,9 @@ @@ -157,14 +159,34 @@ if (!sslconn) { return DECLINED; -@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r) +@@ -87,6 +93,34 @@ int ssl_hook_ReadReq(request_rec *r) if (!ssl) { return DECLINED; } +#ifndef OPENSSL_NO_TLSEXT -+ if (!r->hostname && -+ (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { -+ /* Use the SNI extension as the hostname if no Host: header was sent */ -+ r->hostname = apr_pstrdup(r->pool, servername); -+ ap_update_vhost_from_headers(r); ++ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { ++ char *host, *scope_id; ++ apr_port_t port; ++ apr_status_t rv; ++ ++ /* ++ * The SNI extension supplied a hostname. So don't accept requests ++ * with either no hostname or a different hostname. ++ */ ++ if (!r->hostname) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, ++ "Hostname %s provided via SNI, but no hostname" ++ " provided in HTTP request", servername); ++ return HTTP_BAD_REQUEST; ++ } ++ rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); ++ if (rv != APR_SUCCESS || scope_id) { ++ return HTTP_BAD_REQUEST; ++ } ++ if (strcmp(host, servername)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, ++ "Hostname %s provided via SNI and hostname %s provided" ++ " via HTTP are different", servername, host); ++ return HTTP_BAD_REQUEST; ++ } + } +#endif @@ -172,5 +194,5 @@ /* -@@ -252,7 +266,7 @@ int ssl_hook_Access(request_rec *r) +@@ -252,7 +286,7 @@ int ssl_hook_Access(request_rec *r) * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no * implicit optimizations. @@ -181,17 +203,17 @@ if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { -@@ -267,7 +281,10 @@ int ssl_hook_Access(request_rec *r) +@@ -267,7 +301,10 @@ int ssl_hook_Access(request_rec *r) } /* configure new state */ - if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) { -+ if ((dc->szCipherSuite && -+ !modssl_set_cipher_list(ssl, dc->szCipherSuite)) || -+ (sc->server->auth.cipher_suite && -+ !modssl_set_cipher_list(ssl, sc->server->auth.cipher_suite))) { ++ if ((dc->szCipherSuite || sc->server->auth.cipher_suite) && ++ !modssl_set_cipher_list(ssl, dc->szCipherSuite ? ++ dc->szCipherSuite : ++ sc->server->auth.cipher_suite)) { ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, "Unable to reconfigure (per-directory) " -@@ -334,8 +351,13 @@ int ssl_hook_Access(request_rec *r) +@@ -334,8 +371,13 @@ int ssl_hook_Access(request_rec *r) sk_SSL_CIPHER_free(cipher_list_old); } @@ -208,24 +230,34 @@ "Reconfigured cipher suite will force renegotiation"); } -@@ -353,14 +375,16 @@ int ssl_hook_Access(request_rec *r) +@@ -353,19 +395,15 @@ int ssl_hook_Access(request_rec *r) * currently active/remembered verify depth (because this means more * restriction on the certificate chain). */ - if (dc->nVerifyDepth != UNSET) { -+ if ((dc->nVerifyDepth != UNSET) || -+ (sc->server->auth.verify_depth != 1)) { - /* XXX: doesnt look like sslconn->verify_depth is actually used */ - if (!(n = sslconn->verify_depth)) { - sslconn->verify_depth = n = sc->server->auth.verify_depth; - } - - /* determine whether a renegotiation has to be forced */ +- /* XXX: doesnt look like sslconn->verify_depth is actually used */ +- if (!(n = sslconn->verify_depth)) { +- sslconn->verify_depth = n = sc->server->auth.verify_depth; +- } +- +- /* determine whether a renegotiation has to be forced */ - if (dc->nVerifyDepth < n) { -+ if ((dc->nVerifyDepth < n) || -+ (sc->server->auth.verify_depth < n)) { - renegotiate = TRUE; - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "Reduced client verification depth will force " -@@ -382,18 +406,22 @@ int ssl_hook_Access(request_rec *r) +- renegotiate = TRUE; +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, +- "Reduced client verification depth will force " +- "renegotiation"); +- } ++ n = sslconn->verify_depth; ++ sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ? ++ dc->nVerifyDepth : sc->server->auth.verify_depth; ++ if ((sslconn->verify_depth < n) || ++ ((n == 0) && (sc->server->auth.verify_depth == 0))) { ++ renegotiate = TRUE; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, ++ "Reduced client verification depth will force " ++ "renegotiation"); + } + + /* +@@ -382,18 +420,22 @@ int ssl_hook_Access(request_rec *r) * verification but at least skip the I/O-intensive renegotation * handshake. @@ -253,5 +285,5 @@ verify |= SSL_VERIFY_PEER; } -@@ -491,6 +519,40 @@ int ssl_hook_Access(request_rec *r) +@@ -491,6 +533,40 @@ int ssl_hook_Access(request_rec *r) "Changed client verification locations will force " "renegotiation"); @@ -294,5 +326,5 @@ /* If a renegotiation is now required for this location, and the -@@ -666,8 +728,10 @@ int ssl_hook_Access(request_rec *r) +@@ -675,8 +751,10 @@ int ssl_hook_Access(request_rec *r) /* * Finally check for acceptable renegotiation results @@ -307,5 +339,5 @@ if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, -@@ -997,6 +1061,9 @@ int ssl_hook_Fixup(request_rec *r) +@@ -1006,6 +1084,9 @@ int ssl_hook_Fixup(request_rec *r) SSLDirConfigRec *dc = myDirConfig(r); apr_table_t *env = r->subprocess_env; @@ -317,5 +349,5 @@ SSL *ssl; int i; -@@ -1018,6 +1085,13 @@ int ssl_hook_Fixup(request_rec *r) +@@ -1027,6 +1108,13 @@ int ssl_hook_Fixup(request_rec *r) /* the always present HTTPS (=HTTP over SSL) flag! */ apr_table_setn(env, "HTTPS", "on"); @@ -331,5 +363,5 @@ if (dc->nOptions & SSL_OPT_STDENVVARS) { for (i = 0; ssl_hook_Fixup_vars[i]; i++) { -@@ -1166,8 +1240,8 @@ int ssl_callback_SSLVerify(int ok, X509_ +@@ -1175,8 +1263,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); @@ -341,5 +373,5 @@ SSLSrvConfigRec *sc = mySrvConfig(s); SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL; -@@ -1290,7 +1364,10 @@ int ssl_callback_SSLVerify(int ok, X509_ +@@ -1299,7 +1387,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) @@ -353,5 +385,5 @@ SSLConnRec *sslconn = myConnConfig(c); modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); -@@ -1810,3 +1887,141 @@ void ssl_callback_LogTracingState(MODSSL +@@ -1819,3 +1910,141 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A } } @@ -497,7 +529,7 @@ Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h =================================================================== ---- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 663014) +--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 763153) +++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy) -@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char * +@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *data); #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP #endif