Re: SNI in 2.2.x (Re: Time for 2.2.10?)

Sat, 25 Apr 2009 02:21:22 -0700 

Committed v10 with some smaller tweaks as  r768499. Especially I removed

@@ -186,16 +186,6 @@ int ssl_hook_ReadReq(request_rec *r)
             return HTTP_BAD_REQUEST;
         }
     }
-    else if (r->connection->vhost_lookup_data) {
-        /*
-         * We are using a name based configuration here, but no hostname was
-         * provided via SNI. Don't allow that.
-         */
-        ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-                     "No hostname was provided via SNI for a name based"
-                     " virtual host");
-        return HTTP_FORBIDDEN;
-    }
 #endif
     SSL_set_app_data2(ssl, r);

as I want to make this configurable and this is easier to do when it remains in 
the code.
Furthermore I tweaked

+#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
+            (sc1->server->auth.f && \
+             (!sc2->server->auth.f || \
+              sc2->server->auth.f && \
+              strNE(sc1->server->auth.f, sc2->server->auth.f)))
+

So please have a quick check at

http://svn.apache.org/viewvc?view=rev&revision=768499

Regards

Rüdiger 

> -----Ursprüngliche Nachricht-----
> Von: Kaspar Brand 
> Gesendet: Samstag, 25. April 2009 09:37
> An: dev@httpd.apache.org
> Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?)
> 
> >> Mind to sent a version v9 of your patch such that I can review the
> >> complete one again? Thanks for your efforts.
> 
> Sorry, please disregard v9 - it makes SSL_VERIFY_CLIENT 
> report GENEROUS
> even in cases where it could/should be SUCCESS, actually (if 
> the CA list
> stays the same; i.e., v9 doesn't weaken things, security-wise, but
> possibly locks out legitimate [non-SNI] clients).
> 
> I have attached v10. As far as ssl_var_lookup_ssl_cert_verify()
> is concerned, a tweak could look like:
> 
> --- modules/ssl/ssl_engine_vars.c       (revision 765079)
> +++ modules/ssl/ssl_engine_vars.c       (working copy)
> @@ -607,7 +607,7 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_po
>          result = "SUCCESS";
>      else if (vrc == X509_V_OK && vinfo != NULL && 
> strEQ(vinfo, "GENEROUS"))
>          /* client verification done in generous way */
> -        result = "GENEROUS";
> +        result = xs ? "GENEROUS" : "NONE";
>      else
>          /* client verification failed */
>          result = apr_psprintf(p, "FAILED:%s", verr);
> 
> 
> [Not included in v10. If it's added, we should probably 
> update the comment
> to explain why we're doing it like this, exactly.]
> 
> Kaspar
> 
>

Reply via email to