ASF Bugzilla – Attachment 30172 Details for
Bug 54656
SNI and SSLProxyCheckPeerCN based on "connection" instead of "request" hostname
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
new mod_ssl directive to use proxy-connection-hostname instead of proxy-request-hostname for SNI and SSLProxyCheckPeerCN
SSLProxyHostnameSource.patch (text/plain), 4.70 KB, created by
EugeneL
on 2013-04-10 01:26:33 UTC
(
hide
)
Description:
new mod_ssl directive to use proxy-connection-hostname instead of proxy-request-hostname for SNI and SSLProxyCheckPeerCN
Filename:
MIME Type:
Creator:
EugeneL
Created:
2013-04-10 01:26:33 UTC
Size:
4.70 KB
patch
obsolete
>--- src2.4.4/apache/modules/proxy/mod_proxy_http.c 2013-01-21 16:09:52.000000000 +0000 >+++ proposal/apache/modules/proxy/mod_proxy_http.c 2013-03-06 19:33:17.000000000 +0000 >@@ -2256,6 +2256,8 @@ > > apr_table_set(backend->connection->notes, "proxy-request-hostname", > ssl_hostname); >+ apr_table_set(backend->connection->notes, "proxy-connection-hostname", >+ uri->hostname); > } > } > >--- src2.4.4/apache/modules/ssl/mod_ssl.c 2012-12-11 09:55:03.000000000 +0000 >+++ proposal/apache/modules/ssl/mod_ssl.c 2013-03-06 19:33:17.000000000 +0000 >@@ -194,6 +194,8 @@ > "SSL Proxy: check the peers certificate expiration date") > SSL_CMD_SRV(ProxyCheckPeerCN, FLAG, > "SSL Proxy: check the peers certificate CN") >+ SSL_CMD_SRV(ProxyHostnameSource, TAKE1, >+ "SSL Proxy: the source of the hostname to use for SNI and peer certificate CN check (either 'request' or 'connection')") > > /* > * Per-directory context configuration directives >--- src2.4.4/apache/modules/ssl/ssl_engine_config.c 2012-12-11 09:55:03.000000000 +0000 >+++ proposal/apache/modules/ssl/ssl_engine_config.c 2013-03-06 19:33:17.000000000 +0000 >@@ -201,6 +201,7 @@ > sc->insecure_reneg = UNSET; > sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET; > sc->proxy_ssl_check_peer_cn = SSL_ENABLED_UNSET; >+ sc->proxy_ssl_hostname_source = SSL_HOSTNAMESRC_UNSET; > #ifndef OPENSSL_NO_TLSEXT > sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; > #endif >@@ -325,6 +326,7 @@ > cfgMergeBool(insecure_reneg); > cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET); > cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET); >+ cfgMerge(proxy_ssl_hostname_source, SSL_HOSTNAMESRC_UNSET); > #ifndef OPENSSL_NO_TLSEXT > cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); > #endif >@@ -1621,6 +1623,20 @@ > return NULL; > } > >+const char *ssl_cmd_SSLProxyHostnameSource(cmd_parms *cmd, void *dcfg, const char *arg) >+{ >+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); >+ >+ if (!strcasecmp(arg, "request")) { >+ sc->proxy_ssl_hostname_source = SSL_HOSTNAMESRC_REQUEST; >+ return NULL; >+ } else if (!strcasecmp(arg, "connection")) { >+ sc->proxy_ssl_hostname_source = SSL_HOSTNAMESRC_CONNECTION; >+ return NULL; >+ } >+ return "SSLProxyHostnameSource failed: invalid argument"; >+} >+ > const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag) > { > #ifndef OPENSSL_NO_TLSEXT >--- src2.4.4/apache/modules/ssl/ssl_engine_io.c 2012-09-21 15:10:12.000000000 +0000 >+++ proposal/apache/modules/ssl/ssl_engine_io.c 2013-03-06 20:09:17.000000000 +0000 >@@ -1051,9 +1051,13 @@ > #ifndef OPENSSL_NO_TLSEXT > apr_ipsubnet_t *ip; > #endif >- const char *hostname_note = apr_table_get(c->notes, >- "proxy-request-hostname"); >+ const char *hostname_note; > sc = mySrvConfig(server); >+ if (sc->proxy_ssl_hostname_source == SSL_HOSTNAMESRC_CONNECTION) { >+ hostname_note = apr_table_get(c->notes, "proxy-connection-hostname"); >+ } else { >+ hostname_note = apr_table_get(c->notes, "proxy-request-hostname"); >+ } > > #ifndef OPENSSL_NO_TLSEXT > /* >@@ -1117,6 +1121,7 @@ > hostname = ssl_var_lookup(NULL, server, c, NULL, > "SSL_CLIENT_S_DN_CN"); > apr_table_unset(c->notes, "proxy-request-hostname"); >+ apr_table_unset(c->notes, "proxy-connection-hostname"); > > /* Do string match or simplest wildcard match if that > * fails. */ >--- src2.4.4/apache/modules/ssl/ssl_private.h 2012-12-11 09:55:03.000000000 +0000 >+++ proposal/apache/modules/ssl/ssl_private.h 2013-03-06 19:33:17.000000000 +0000 >@@ -401,6 +401,15 @@ > } ssl_enabled_t; > > /** >+ * Define the SSL hostname source >+ */ >+typedef enum { >+ SSL_HOSTNAMESRC_UNSET = UNSET, >+ SSL_HOSTNAMESRC_REQUEST = 1, >+ SSL_HOSTNAMESRC_CONNECTION = 2 >+} ssl_hostnamesrc_t; >+ >+/** > * Define the SSL requirement structure > */ > typedef struct { >@@ -681,6 +690,7 @@ > #ifndef OPENSSL_NO_COMP > BOOL compression; > #endif >+ ssl_hostnamesrc_t proxy_ssl_hostname_source; > }; > > /** >@@ -767,6 +777,7 @@ > #endif > const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag); > const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag); >+const char *ssl_cmd_SSLProxyHostnameSource(cmd_parms *cmd, void *dcfg, const char *arg); > > const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag); > const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 54656
:
30029
| 30172