On 02/14/2008 11:24 AM, [EMAIL PROTECTED] wrote:
Author: dirkx
Date: Thu Feb 14 02:24:04 2008
New Revision: 627699
URL: http://svn.apache.org/viewvc?rev=627699&view=rev
Log:
Kasper Brand came across a flaw in the current implementation when CRL
information - i.e. SSLCARevocationFile/SSLCARevocationPath - is set
on a per-vhost basis (don't know how much sense it makes to have
non-global CRLs, but anyway...).
The attached patch ([EMAIL PROTECTED] on httpd-dev) addresses
this issue, and it also improves the logging behavior for an SNI
enabled configuration (previously some of the messages would
always go to the first vhost, or wouldn't appear at
all, depending on the LogLevel of the first vhost).
reviewed: dirkx
Modified:
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=627699&r1=627698&r2=627699&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Thu Feb 14 02:24:04 2008
@@ -2022,6 +2022,26 @@
SSL_CTX_get_verify_callback(ssl->ctx));
}
+ /*
+ * We also need to make sure that the correct mctx is
+ * assigned to the connection - the CRL callback e.g.
+ * makes use of it for retrieving its store (mctx->crl).
+ */
+ c->base_server = s;
Is this correct? This changes the behaviour for SNI in comparison
to name based virtual hosts in the non-SSL case as in their case the base_server
is always the first (or is it the last, I cannot memorize this :-() configured
server on this IP/port pair. IMHO SNI in SSL should be handled the same way as
usual
name based virtual hosts in the HTTP case. This may mean that we need to add
another
server_rec field to the conn_rec struct that contains s and that mod_ssl needs
to
work with this field instead of base_server. But to be honest I haven't analysed
this further.
Regards
RĂ¼diger
