www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-07 04:02:58 +03:00
Code Activity

first stab at a better SNI vs. request name matching, by accounting for serveralias and wildcards

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1698330 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
2015-08-28 13:00:52 +00:00
parent 9d99941373
commit cf6c7246d5
3 changed files with 61 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
modules/ssl/ssl_engine_kernel.c
View File

@@ -200,14 +200,18 @@ int ssl_hook_ReadReq(request_rec *r)
if (rv != APR_SUCCESS || scope_id) {
return HTTP_BAD_REQUEST;
}
if (strcasecmp(host, servername)) {
if (strcasecmp(host, servername)
|| !sslconn->server
|| !ssl_util_vhost_matches(host, sslconn->server)) {
/*
* We are really not in Kansas anymore...
* The request hostname does not match the SNI and does not
* select the virtual host that was selected by the SNI.
*/
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032)
"Hostname %s provided via SNI and hostname %s provided"
" via HTTP are different", servername, host);
if (r->connection->keepalives > 0) {
return HTTP_MISDIRECTED_REQUEST;
}
return HTTP_BAD_REQUEST;
"Hostname %s provided via SNI and hostname %s provided"
" via HTTP are different", servername, host);
return HTTP_MISDIRECTED_REQUEST;
}
}
else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
@@ -2000,50 +2004,10 @@ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
{
SSLSrvConfigRec *sc;
SSL *ssl;
BOOL found = FALSE;
apr_array_header_t *names;
int i;
BOOL found;
SSLConnRec *sslcon;
/* check ServerName */
if (!strcasecmp(servername, s->server_hostname)) {
found = TRUE;
}
/*
* if not matched yet, check ServerAlias entries
* (adapted from vhost.c:matches_aliases())
*/
if (!found) {
names = s->names;
if (names) {
char **name = (char **)names->elts;
for (i = 0; i < names->nelts; ++i) {
if (!name[i])
continue;
if (!strcasecmp(servername, name[i])) {
found = TRUE;
break;
}
}
}
}
/* if still no match, check ServerAlias entries with wildcards */
if (!found) {
names = s->wild_names;
if (names) {
char **name = (char **)names->elts;
for (i = 0; i < names->nelts; ++i) {
if (!name[i])
continue;
if (!ap_strcasecmp_match(servername, name[i])) {
found = TRUE;
break;
}
}
}
}
found = ssl_util_vhost_matches(servername, s);
/* set SSL_CTX (if matched) */
sslcon = myConnConfig(c);

2
modules/ssl/ssl_private.h
View File

@@ -853,6 +853,8 @@ BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *);
void ssl_util_thread_setup(apr_pool_t *);
int ssl_init_ssl_connection(conn_rec *c, request_rec *r);
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s);
/** Pass Phrase Support */
apr_status_t ssl_load_encrypted_pkey(server_rec *, apr_pool_t *, int,
const char *, apr_array_header_t **);

46
modules/ssl/ssl_util.c
View File

@@ -60,6 +60,52 @@ char *ssl_util_vhostid(apr_pool_t *p, server_rec *s)
return id;
}
/*
* Return TRUE iff the given servername matches the server record when
* selecting virtual hosts.
*/
BOOL ssl_util_vhost_matches(const char *servername, server_rec *s)
{
apr_array_header_t *names;
int i;
/* check ServerName */
if (!strcasecmp(servername, s->server_hostname)) {
return TRUE;
}
/*
* if not matched yet, check ServerAlias entries
* (adapted from vhost.c:matches_aliases())
*/
names = s->names;
if (names) {
char **name = (char **)names->elts;
for (i = 0; i < names->nelts; ++i) {
if (!name[i])
continue;
if (!strcasecmp(servername, name[i])) {
return TRUE;
}
}
}
/* if still no match, check ServerAlias entries with wildcards */
names = s->wild_names;
if (names) {
char **name = (char **)names->elts;
for (i = 0; i < names->nelts; ++i) {
if (!name[i])
continue;
if (!ap_strcasecmp_match(servername, name[i])) {
return TRUE;
}
}
}
return FALSE;
}
apr_file_t *ssl_util_ppopen(server_rec *s, apr_pool_t *p, const char *cmd,
const char * const *argv)
{