Re: svn commit: r757373 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Mon, 23 Mar 2009 04:01:32 -0700 

On Mon, Mar 23, 2009 at 11:56 AM, Paul Querna <[email protected]> wrote:
> On Mon, Mar 23, 2009 at 11:51 AM,  <[email protected]> wrote:
>> Author: rpluem
>> Date: Mon Mar 23 10:51:00 2009
>> New Revision: 757373
>>
>> URL: http://svn.apache.org/viewvc?rev=757373&view=rev
>> Log:
>> * If the SNI extension supplied a hostname. So don't accept requests with
>>  either no hostname or a different hostname.
>>
>> Modified:
>>    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757373&r1=757372&r2=757373&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 10:51:00 
>> 2009
>> @@ -160,11 +160,31 @@
>>         return DECLINED;
>>     }
>>  #ifndef OPENSSL_NO_TLSEXT
>> -    if (!r->hostname &&
>> -        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
>> -        /* Use the SNI extension as the hostname if no Host: header was 
>> sent */
>> -        r->hostname = apr_pstrdup(r->pool, servername);
>> -        ap_update_vhost_from_headers(r);
>> +    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
>> +        char *host, *scope_id;
>> +        apr_port_t port;
>> +        apr_status_t rv;
>> +
>> +        /*
>> +         * The SNI extension supplied a hostname. So don't accept requests
>> +         * with either no hostname or a different hostname.
>> +         */
>> +        if (!r->hostname) {
>> +            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
>> +                        "Hostname %s provided via SNI, but no hostname"
>> +                        " provided in HTTP request", servername);
>> +            return HTTP_BAD_REQUEST;
>> +        }
>> +        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, 
>> r->pool);
>> +        if (rv != APR_SUCCESS || scope_id) {
>> +            return HTTP_BAD_REQUEST;
>> +        }
>> +        if (strcmp(host, servername)) {
>> +            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
>> +                        "Hostname %s provided via SNI and hostname %s 
>> provided"
>> +                        " via HTTP are different", servername, host);
>> +            return HTTP_BAD_REQUEST;
>> +        }
>
> shouldn't this be ap_strcasecmp_match instead of strcmp?

sorry, host and servername are both full names, not wildcards, so this
is fine....

Reply via email to