mirror of
https://github.com/apache/httpd.git
synced 2025-08-07 04:02:58 +03:00
first stab at a better SNI vs. request name matching, by accounting for serveralias and wildcards
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1698330 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
@@ -200,14 +200,18 @@ int ssl_hook_ReadReq(request_rec *r)
|
|||||||
if (rv != APR_SUCCESS || scope_id) {
|
if (rv != APR_SUCCESS || scope_id) {
|
||||||
return HTTP_BAD_REQUEST;
|
return HTTP_BAD_REQUEST;
|
||||||
}
|
}
|
||||||
if (strcasecmp(host, servername)) {
|
if (strcasecmp(host, servername)
|
||||||
|
|| !sslconn->server
|
||||||
|
|| !ssl_util_vhost_matches(host, sslconn->server)) {
|
||||||
|
/*
|
||||||
|
* We are really not in Kansas anymore...
|
||||||
|
* The request hostname does not match the SNI and does not
|
||||||
|
* select the virtual host that was selected by the SNI.
|
||||||
|
*/
|
||||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
|
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
|
||||||
"Hostname %s provided via SNI and hostname %s provided"
|
"Hostname %s provided via SNI and hostname %s provided"
|
||||||
" via HTTP are different", servername, host);
|
" via HTTP are different", servername, host);
|
||||||
if (r->connection->keepalives > 0) {
|
return HTTP_MISDIRECTED_REQUEST;
|
||||||
return HTTP_MISDIRECTED_REQUEST;
|
|
||||||
}
|
|
||||||
return HTTP_BAD_REQUEST;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
|
else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
|
||||||
@@ -2000,50 +2004,10 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
|
|||||||
{
|
{
|
||||||
SSLSrvConfigRec *sc;
|
SSLSrvConfigRec *sc;
|
||||||
SSL *ssl;
|
SSL *ssl;
|
||||||
BOOL found = FALSE;
|
BOOL found;
|
||||||
apr_array_header_t *names;
|
|
||||||
int i;
|
|
||||||
SSLConnRec *sslcon;
|
SSLConnRec *sslcon;
|
||||||
|
|
||||||
/* check ServerName */
|
found = ssl_util_vhost_matches(servername, s);
|
||||||
if (!strcasecmp(servername, s->server_hostname)) {
|
|
||||||
found = TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* if not matched yet, check ServerAlias entries
|
|
||||||
* (adapted from vhost.c:matches_aliases())
|
|
||||||
*/
|
|
||||||
if (!found) {
|
|
||||||
names = s->names;
|
|
||||||
if (names) {
|
|
||||||
char **name = (char **)names->elts;
|
|
||||||
for (i = 0; i < names->nelts; ++i) {
|
|
||||||
if (!name[i])
|
|
||||||
continue;
|
|
||||||
if (!strcasecmp(servername, name[i])) {
|
|
||||||
found = TRUE;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* if still no match, check ServerAlias entries with wildcards */
|
|
||||||
if (!found) {
|
|
||||||
names = s->wild_names;
|
|
||||||
if (names) {
|
|
||||||
char **name = (char **)names->elts;
|
|
||||||
for (i = 0; i < names->nelts; ++i) {
|
|
||||||
if (!name[i])
|
|
||||||
continue;
|
|
||||||
if (!ap_strcasecmp_match(servername, name[i])) {
|
|
||||||
found = TRUE;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/* set SSL_CTX (if matched) */
|
/* set SSL_CTX (if matched) */
|
||||||
sslcon = myConnConfig(c);
|
sslcon = myConnConfig(c);
|
||||||
|
|||||||
@@ -853,6 +853,8 @@ BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
|
|||||||
void ssl_util_thread_setup(apr_pool_t *);
|
void ssl_util_thread_setup(apr_pool_t *);
|
||||||
int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
|
int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
|
||||||
|
|
||||||
|
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
|
||||||
|
|
||||||
/** Pass Phrase Support */
|
/** Pass Phrase Support */
|
||||||
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int,
|
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int,
|
||||||
const char *, apr_array_header_t **);
|
const char *, apr_array_header_t **);
|
||||||
|
|||||||
@@ -60,6 +60,52 @@ char *ssl_util_vhostid(apr_pool_t *p, server_rec *s)
|
|||||||
return id;
|
return id;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return TRUE iff the given servername matches the server record when
|
||||||
|
* selecting virtual hosts.
|
||||||
|
*/
|
||||||
|
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s)
|
||||||
|
{
|
||||||
|
apr_array_header_t *names;
|
||||||
|
int i;
|
||||||
|
|
||||||
|
/* check ServerName */
|
||||||
|
if (!strcasecmp(servername, s->server_hostname)) {
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* if not matched yet, check ServerAlias entries
|
||||||
|
* (adapted from vhost.c:matches_aliases())
|
||||||
|
*/
|
||||||
|
names = s->names;
|
||||||
|
if (names) {
|
||||||
|
char **name = (char **)names->elts;
|
||||||
|
for (i = 0; i < names->nelts; ++i) {
|
||||||
|
if (!name[i])
|
||||||
|
continue;
|
||||||
|
if (!strcasecmp(servername, name[i])) {
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* if still no match, check ServerAlias entries with wildcards */
|
||||||
|
names = s->wild_names;
|
||||||
|
if (names) {
|
||||||
|
char **name = (char **)names->elts;
|
||||||
|
for (i = 0; i < names->nelts; ++i) {
|
||||||
|
if (!name[i])
|
||||||
|
continue;
|
||||||
|
if (!ap_strcasecmp_match(servername, name[i])) {
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
apr_file_t *ssl_util_ppopen(server_rec *s, apr_pool_t *p, const char *cmd,
|
apr_file_t *ssl_util_ppopen(server_rec *s, apr_pool_t *p, const char *cmd,
|
||||||
const char * const *argv)
|
const char * const *argv)
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user