* modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a

wildcard common name match. PR: 53006 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1375584 13f79535-47bb-0310-9956-ffa450edef68
2026-01-06 09:01:14 +03:00 · 2012-08-21 14:46:55 +00:00
parent 7f27e021d1
commit d41fac0208
2 changed files with 15 additions and 1 deletions
--- a/3
+++ b/3
@@ -1,6 +1,9 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.5.0

+  *) mod_ssl: Match wildcard SSL certificate names in proxy mode.  
+     PR 53006.  [Joe Orton]
+
  *) WinNT MPM: Store pid and generation for each thread in scoreboard
     to allow tracking of threads from exiting children via mod_status
     or other such mechanisms.  [Jeff Trawick]
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1114,11 +1114,22 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
        if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
            hostname_note) {
            const char *hostname;
+            int match = 0;

            hostname = ssl_var_lookup(NULL, server, c, NULL,
                                      "SSL_CLIENT_S_DN_CN");
            apr_table_unset(c->notes, "proxy-request-hostname");
-            if (strcasecmp(hostname, hostname_note)) {
+
+            /* Do string match or simplest wildcard match if that
+             * fails. */
+            match = strcasecmp(hostname, hostname_note) == 0;
+            if (!match && strncmp(hostname, "*.", 2) == 0) {
+                const char *p = ap_strchr_c(hostname_note, '.');
+                
+                match = p && strcasecmp(p, hostname + 1) == 0;
+            }
+
+            if (!match) {
                ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005)
                              "SSL Proxy: Peer certificate CN mismatch:"
                              " Certificate CN: %s Requested hostname: %s",