patch from yann that fixes MISDIRECTED_REQUEST handling for setups with ServerAlias/subjectAltNames

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1703822 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/ssl_engine_kernel.c

@@ -172,19 +172,18 @@ int ssl_hook_ReadReq(request_rec *r)
      * original problem.
      */
     if (r->proxyreq != PROXYREQ_PROXY && ap_is_initial_req(r)) {
-        if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+        server_rec *handshakeserver = sslconn->server;
-            char *host, *scope_id;
+        SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
-            apr_port_t port;
-            apr_status_t rv;
 
+        if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
             /*
              * The SNI extension supplied a hostname. So don't accept requests
-             * with either no hostname or a different hostname as this could
+             * with either no hostname or a hostname that selected a different
-             * cause us to end up in a different virtual host as the one that
+             * virtual host than the one used for the handshake, causing
-             * was used for the handshake causing different SSL parameters to
+             * different SSL parameters to be applied, such as SSLProtocol,
-             * be applied as SSLProtocol, SSLCACertificateFile/Path and
+             * SSLCACertificateFile/Path and SSLCADNRequestFile/Path which
-             * SSLCADNRequestFile/Path cannot be renegotiated (SSLCA* due
+             * cannot be renegotiated (SSLCA* due to current limitations in
-             * to current limitations in OpenSSL, see
+             * OpenSSL, see:
              * http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3C48592955.2090303@velox.ch%3E
              * and
              * http://mail-archives.apache.org/mod_mbox/httpd-dev/201312.mbox/%3CCAKQ1sVNpOrdiBm-UPw1hEdSN7YQXRRjeaT-MCWbW_7mN%3DuFiOw%40mail.gmail.com%3E
@@ -196,27 +195,21 @@ int ssl_hook_ReadReq(request_rec *r)
                             " provided in HTTP request", servername);
                 return HTTP_BAD_REQUEST;
             }
-            rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
+            if (r->server != handshakeserver) {
-            if (rv != APR_SUCCESS || scope_id) {
-                return HTTP_BAD_REQUEST;
-            }
-            if (strcasecmp(host, servername) 
-                || !sslconn->server 
-                || !ssl_util_vhost_matches(host, sslconn->server)) {
                 /* 
                  * We are really not in Kansas anymore...
-                 * The request hostname does not match the SNI and does not
+                 * The request does not select the virtual host that was
-                 * select the virtual host that was selected by the SNI.
+                 * selected by the SNI.
                  */
                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
                              "Hostname %s provided via SNI and hostname %s provided"
-                             " via HTTP are different", servername, host);
+                             " via HTTP select a different server",
+                             servername, r->hostname);
                 return HTTP_MISDIRECTED_REQUEST;
             }
         }
         else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
-                 || (mySrvConfig(sslconn->server))->strict_sni_vhost_check
+                  || hssc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
-                    == SSL_ENABLED_TRUE)
                  && r->connection->vhost_lookup_data) {
             /*
              * We are using a name based configuration here, but no hostname was