Re: svn commit: r627699 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Thu, 14 Feb 2008 12:47:33 -0800 


On Feb 14, 2008, at 9:34 PM, Ruediger Pluem wrote:


On 02/14/2008 11:24 AM, [EMAIL PROTECTED] wrote:

Author: dirkx
Date: Thu Feb 14 02:24:04 2008
New Revision: 627699
URL: http://svn.apache.org/viewvc?rev=627699&view=rev
Log:
Kasper Brand came across a flaw in the current implementation when CRL information - i.e. SSLCARevocationFile/SSLCARevocationPath - is set on a per-vhost basis (don't know how much sense it makes to have non-global CRLs, but anyway...). The attached patch ([EMAIL PROTECTED] on httpd-dev) addresses this issue, and it also improves the logging behavior for an SNI enabled configuration (previously some of the messages would always go to the first vhost, or wouldn't appear at 
all, depending on the LogLevel of the first vhost).
reviewed: dirkx
Modified:
   httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=627699&r1=627698&r2=627699&view=diff
= = = = = = = = = ===================================================================== 
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Thu Feb 14 02:24:04 2008 
@@ -2022,6 +2022,26 @@
                           SSL_CTX_get_verify_callback(ssl->ctx));
        }
+        /*
+         * We also need to make sure that the correct mctx is
+         * assigned to the connection - the CRL callback e.g.
+         * makes use of it for retrieving its store (mctx->crl).
+         */
+        c->base_server = s;


Is this correct? This changes the behaviour for SNI in comparison
to name based virtual hosts in the non-SSL case as in their case the base_server is always the first (or is it the last, I cannot memorize this :-() configured 

first.
server on this IP/port pair. IMHO SNI in SSL should be handled the same way as usual name based virtual hosts in the HTTP case. This may mean that we need to add another server_rec field to the conn_rec struct that contains s and that mod_ssl needs to work with this field instead of base_server. But to be honest I haven't analysed 
this further.
My test suggest that it does the right thing - but I understand your concern -- and have not tried your senario in a wider case. Though my guess this still behaves correct ? Unfortunately I won't be able to dive into this in the next few days. Feel free back this change out if you think it break things - or hack on it :) It is not super critical. 

Dw

Reply via email to