Attachment 30172 Details for Bug 54656 – new mod_ssl directive to use proxy-connection-hostname instead of proxy-request-hostname for SNI and SSLProxyCheckPeerCN

[patch] new mod_ssl directive to use proxy-connection-hostname instead of proxy-request-hostname for SNI and SSLProxyCheckPeerCN

SSLProxyHostnameSource.patch (text/plain), 4.70 KB, created by EugeneL on 2013-04-10 01:26:33 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: EugeneL

Created: 2013-04-10 01:26:33 UTC

Size: 4.70 KB

patch

obsolete

>--- src2.4.4/apache/modules/proxy/mod_proxy_http.c	2013-01-21 16:09:52.000000000 +0000
>+++ proposal/apache/modules/proxy/mod_proxy_http.c	2013-03-06 19:33:17.000000000 +0000
>@@ -2256,6 +2256,8 @@
> 
>                 apr_table_set(backend->connection->notes, "proxy-request-hostname",
>                               ssl_hostname);
>+                apr_table_set(backend->connection->notes, "proxy-connection-hostname",
>+                              uri->hostname);
>             }
>         }
> 
>--- src2.4.4/apache/modules/ssl/mod_ssl.c	2012-12-11 09:55:03.000000000 +0000
>+++ proposal/apache/modules/ssl/mod_ssl.c	2013-03-06 19:33:17.000000000 +0000
>@@ -194,6 +194,8 @@
>                 "SSL Proxy: check the peers certificate expiration date")
>     SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
>                 "SSL Proxy: check the peers certificate CN")
>+    SSL_CMD_SRV(ProxyHostnameSource, TAKE1,
>+                "SSL Proxy: the source of the hostname to use for SNI and peer certificate CN check (either 'request' or 'connection')")
> 
>     /*
>      * Per-directory context configuration directives
>--- src2.4.4/apache/modules/ssl/ssl_engine_config.c	2012-12-11 09:55:03.000000000 +0000
>+++ proposal/apache/modules/ssl/ssl_engine_config.c	2013-03-06 19:33:17.000000000 +0000
>@@ -201,6 +201,7 @@
>     sc->insecure_reneg         = UNSET;
>     sc->proxy_ssl_check_peer_expire = SSL_ENABLED_UNSET;
>     sc->proxy_ssl_check_peer_cn     = SSL_ENABLED_UNSET;
>+    sc->proxy_ssl_hostname_source   = SSL_HOSTNAMESRC_UNSET;
> #ifndef OPENSSL_NO_TLSEXT
>     sc->strict_sni_vhost_check = SSL_ENABLED_UNSET;
> #endif
>@@ -325,6 +326,7 @@
>     cfgMergeBool(insecure_reneg);
>     cfgMerge(proxy_ssl_check_peer_expire, SSL_ENABLED_UNSET);
>     cfgMerge(proxy_ssl_check_peer_cn, SSL_ENABLED_UNSET);
>+    cfgMerge(proxy_ssl_hostname_source, SSL_HOSTNAMESRC_UNSET);
> #ifndef OPENSSL_NO_TLSEXT
>     cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET);
> #endif
>@@ -1621,6 +1623,20 @@
>     return NULL;
> }
> 
>+const char *ssl_cmd_SSLProxyHostnameSource(cmd_parms *cmd, void *dcfg, const char *arg)
>+{
>+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
>+
>+    if (!strcasecmp(arg, "request")) {
>+        sc->proxy_ssl_hostname_source = SSL_HOSTNAMESRC_REQUEST;
>+        return NULL;
>+    } else if (!strcasecmp(arg, "connection")) {
>+        sc->proxy_ssl_hostname_source = SSL_HOSTNAMESRC_CONNECTION;
>+        return NULL;
>+    }
>+    return "SSLProxyHostnameSource failed: invalid argument";
>+}
>+
> const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag)
> {
> #ifndef OPENSSL_NO_TLSEXT
>--- src2.4.4/apache/modules/ssl/ssl_engine_io.c	2012-09-21 15:10:12.000000000 +0000
>+++ proposal/apache/modules/ssl/ssl_engine_io.c	2013-03-06 20:09:17.000000000 +0000
>@@ -1051,9 +1051,13 @@
> #ifndef OPENSSL_NO_TLSEXT
>         apr_ipsubnet_t *ip;
> #endif
>-        const char *hostname_note = apr_table_get(c->notes,
>-                                                  "proxy-request-hostname");
>+        const char *hostname_note;
>         sc = mySrvConfig(server);
>+        if (sc->proxy_ssl_hostname_source == SSL_HOSTNAMESRC_CONNECTION) {
>+            hostname_note = apr_table_get(c->notes, "proxy-connection-hostname");
>+        } else {
>+            hostname_note = apr_table_get(c->notes, "proxy-request-hostname");
>+        }
> 
> #ifndef OPENSSL_NO_TLSEXT
>         /*
>@@ -1117,6 +1121,7 @@
>             hostname = ssl_var_lookup(NULL, server, c, NULL,
>                                       "SSL_CLIENT_S_DN_CN");
>             apr_table_unset(c->notes, "proxy-request-hostname");
>+            apr_table_unset(c->notes, "proxy-connection-hostname");
>
>             /* Do string match or simplest wildcard match if that
>              * fails. */
>--- src2.4.4/apache/modules/ssl/ssl_private.h	2012-12-11 09:55:03.000000000 +0000
>+++ proposal/apache/modules/ssl/ssl_private.h	2013-03-06 19:33:17.000000000 +0000
>@@ -401,6 +401,15 @@
> } ssl_enabled_t;
> 
> /**
>+ * Define the SSL hostname source
>+ */
>+typedef enum {
>+    SSL_HOSTNAMESRC_UNSET      = UNSET,
>+    SSL_HOSTNAMESRC_REQUEST    = 1,
>+    SSL_HOSTNAMESRC_CONNECTION = 2
>+} ssl_hostnamesrc_t;
>+
>+/**
>  * Define the SSL requirement structure
>  */
> typedef struct {
>@@ -681,6 +690,7 @@
> #ifndef OPENSSL_NO_COMP
>     BOOL             compression;
> #endif
>+    ssl_hostnamesrc_t proxy_ssl_hostname_source;
> };
> 
> /**
>@@ -767,6 +777,7 @@
> #endif
> const char  *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag);
> const char  *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag);
>+const char  *ssl_cmd_SSLProxyHostnameSource(cmd_parms *cmd, void *dcfg, const char *arg);
> 
> const char *ssl_cmd_SSLOCSPOverrideResponder(cmd_parms *cmd, void *dcfg, int flag);
> const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const char *arg);

Actions: View | Diff

Attachments on bug 54656: 30029 | 30172