Committed v10 with some smaller tweaks as r768499. Especially I removed @@ -186,16 +186,6 @@ int ssl_hook_ReadReq(request_rec *r) return HTTP_BAD_REQUEST; } } - else if (r->connection->vhost_lookup_data) { - /* - * We are using a name based configuration here, but no hostname was - * provided via SNI. Don't allow that. - */ - ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, - "No hostname was provided via SNI for a name based" - " virtual host"); - return HTTP_FORBIDDEN; - } #endif SSL_set_app_data2(ssl, r);
as I want to make this configurable and this is easier to do when it remains in the code. Furthermore I tweaked +#define MODSSL_CFG_CA_NE(f, sc1, sc2) \ + (sc1->server->auth.f && \ + (!sc2->server->auth.f || \ + sc2->server->auth.f && \ + strNE(sc1->server->auth.f, sc2->server->auth.f))) + So please have a quick check at http://svn.apache.org/viewvc?view=rev&revision=768499 Regards Rüdiger > -----Ursprüngliche Nachricht----- > Von: Kaspar Brand > Gesendet: Samstag, 25. April 2009 09:37 > An: dev@httpd.apache.org > Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?) > > >> Mind to sent a version v9 of your patch such that I can review the > >> complete one again? Thanks for your efforts. > > Sorry, please disregard v9 - it makes SSL_VERIFY_CLIENT > report GENEROUS > even in cases where it could/should be SUCCESS, actually (if > the CA list > stays the same; i.e., v9 doesn't weaken things, security-wise, but > possibly locks out legitimate [non-SNI] clients). > > I have attached v10. As far as ssl_var_lookup_ssl_cert_verify() > is concerned, a tweak could look like: > > --- modules/ssl/ssl_engine_vars.c (revision 765079) > +++ modules/ssl/ssl_engine_vars.c (working copy) > @@ -607,7 +607,7 @@ static char *ssl_var_lookup_ssl_cert_verify(apr_po > result = "SUCCESS"; > else if (vrc == X509_V_OK && vinfo != NULL && > strEQ(vinfo, "GENEROUS")) > /* client verification done in generous way */ > - result = "GENEROUS"; > + result = xs ? "GENEROUS" : "NONE"; > else > /* client verification failed */ > result = apr_psprintf(p, "FAILED:%s", verr); > > > [Not included in v10. If it's added, we should probably > update the comment > to explain why we're doing it like this, exactly.] > > Kaspar > >