ASF Bugzilla – Attachment 35848 Details for
Bug 55707
SSLProtocol directive seem to be ignored over different virtualhosts on the same ip+port
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Reject connections not conforming to vhost SSLProtocol
4508.patch (text/plain), 1.86 KB, created by
Mike Haller
on 2018-04-09 05:06:53 UTC
(
hide
)
Description:
Reject connections not conforming to vhost SSLProtocol
Filename:
MIME Type:
Creator:
Mike Haller
Created:
2018-04-09 05:06:53 UTC
Size:
1.86 KB
patch
obsolete
>--- modules/ssl/ssl_engine_kernel.c 2017-05-02 05:01:17.000000000 -0600 >+++ modules/ssl/ssl_engine_kernel.c 2018-04-02 09:16:58.000000000 -0600 >@@ -2136,6 +2136,25 @@ > if (servername) { > if (ap_vhost_iterate_given_conn(c, ssl_find_vhost, > (void *)servername)) { >+ SSLSrvConfigRec* sc = mySrvConfig(sslcon->server); >+ const char* version = SSL_get_version(ssl); >+ int mask = sc->server->protocol; >+ if (strcmp(version, SSL_TXT_TLSV1_2) == 0) { >+ mask = SSL_PROTOCOL_TLSV1_2; >+ } >+ else if (strcmp(version, SSL_TXT_TLSV1_1) == 0) { >+ mask = SSL_PROTOCOL_TLSV1_1; >+ } >+ else if (strcmp(version, SSL_TXT_TLSV1) == 0) { >+ mask = SSL_PROTOCOL_TLSV1; >+ } >+ if (!(sc->server->protocol & mask)) { >+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02045) >+ "Rejecting version %s for servername %s", >+ version, servername); >+ return APR_EMISMATCH; >+ } >+ > ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043) > "SSL virtual host for servername %s found", > servername); >@@ -2209,7 +2209,15 @@ > conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); > apr_status_t status = init_vhost(c, ssl); > >- return (status == APR_SUCCESS)? SSL_TLSEXT_ERR_OK : SSL_TLSEXT_ERR_NOACK; >+ switch (status) { >+ case APR_SUCCESS: >+ return SSL_TLSEXT_ERR_OK; >+ case APR_EMISMATCH: >+ *al = SSL_AD_PROTOCOL_VERSION; >+ return SSL_TLSEXT_ERR_ALERT_FATAL; >+ default: >+ return SSL_TLSEXT_ERR_NOACK; >+ } > } > > /*
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=35848">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 55707
: 35848