ASF Bugzilla – Attachment 29500 Details for
Bug 54030
Support subjectAltName when (reverse-)proxying
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
subjectAltName support for httpd-trunk-20121019
httpd-trunk-20121019-subjectaltname.patch (text/plain), 3.68 KB, created by
Michael Weiser
on 2012-10-19 21:41:49 UTC
(
hide
)
Description:
subjectAltName support for httpd-trunk-20121019
Filename:
MIME Type:
Creator:
Michael Weiser
Created:
2012-10-19 21:41:49 UTC
Size:
3.68 KB
patch
obsolete
>Index: modules/ssl/ssl_engine_io.c >=================================================================== >--- modules/ssl/ssl_engine_io.c (revision 1400255) >+++ modules/ssl/ssl_engine_io.c (working copy) >@@ -1113,27 +1113,60 @@ > } > if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && > hostname_note) { >- const char *hostname; >- int match = 0; >+ apr_array_header_t *ids; >+ char *cp; >+ int i; >+ char **id; >+ BOOL is_wildcard, matched = FALSE; > >- hostname = ssl_var_lookup(NULL, server, c, NULL, >- "SSL_CLIENT_S_DN_CN"); > apr_table_unset(c->notes, "proxy-request-hostname"); >+ if (!SSL_X509_getIDs(c->pool, cert, &ids)) { >+ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO() >+ "SSL Proxy: Failure to extract DNs from" >+ " peer certificate." >+ " Requested hostname: %s", hostname_note); >+ /* ensure that the SSL structures etc are freed, etc: */ >+ ssl_filter_io_shutdown(filter_ctx, c, 1); >+ apr_table_setn(c->notes, "SSL_connect_rv", "err"); >+ return HTTP_BAD_GATEWAY; >+ } > >- /* Do string match or simplest wildcard match if that >- * fails. */ >- match = strcasecmp(hostname, hostname_note) == 0; >- if (!match && strncmp(hostname, "*.", 2) == 0) { >- const char *p = ap_strchr_c(hostname_note, '.'); >- >- match = p && strcasecmp(p, hostname + 1) == 0; >+ id = (char **)ids->elts; >+ for (i = 0; i < ids->nelts; i++) { >+ if (!id[i]) >+ continue; >+ >+ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO() >+ "SSL Proxy: Peer certificate check:" >+ " %s == %s", hostname_note, id[i]); >+ /* >+ * Determine if it is a wildcard ID - we're restrictive >+ * in the sense that we require the wildcard character to be >+ * THE left-most label (i.e., the ID must start with "*.") >+ */ >+ is_wildcard = (*id[i] == '*' && *(id[i]+1) == '.') ? TRUE : FALSE; >+ >+ /* >+ * If the ID includes a wildcard character, check if it matches >+ * for the left-most DNS label (i.e., the wildcard character >+ * is not allowed to match a dot). Otherwise, try a simple >+ * string compare, case insensitively. >+ */ >+ if ((is_wildcard == TRUE && >+ (cp = strchr(hostname_note, '.')) && >+ !strcasecmp(id[i]+1, cp)) || >+ !strcasecmp(id[i], hostname_note)) { >+ matched = TRUE; >+ break; >+ } > } > >- if (!match) { >+ if (matched == FALSE) { > ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005) > "SSL Proxy: Peer certificate CN mismatch:" >- " Certificate CN: %s Requested hostname: %s", >- hostname, hostname_note); >+ " Requested hostname: %s." >+ " Last DN checked: %s.", >+ hostname_note, id[i-1]); > /* ensure that the SSL structures etc are freed, etc: */ > ssl_filter_io_shutdown(filter_ctx, c, 1); > apr_table_setn(c->notes, "SSL_connect_rv", "err");
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=29500">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 54030
:
29499
| 29500