> URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1497466&r1=1497465&r2=1497466&view=diff > ============================================================================== > --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original) > +++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Thu Jun 27 > 17:24:58 2013 > @@ -1063,9 +1063,39 @@ static int ssl_io_filter_connect(ssl_fil > > server = sslconn->server; > if (sslconn->is_proxy) { > - const char *hostname_note; > - > +#ifndef OPENSSL_NO_TLSEXT > + apr_ipsubnet_t *ip; > +#endif > + const char *hostname_note = apr_table_get(c->notes, > + "proxy-request-hostname"); > sc = mySrvConfig(server); > + > +#ifndef OPENSSL_NO_TLSEXT > + /* > + * Enable SNI for backend requests. Make sure we don't do it for > + * pure SSLv2 or SSLv3 connections, and also prevent IP addresses > + * from being included in the SNI extension. (OpenSSL would simply > + * pass them on, but RFC 6066 is quite clear on this: "Literal > + * IPv4 and IPv6 addresses are not permitted".) > + */ > + if (hostname_note && > + sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
A user on IRC reported that the SSL_PROTOCOL_SSLV2 here caused a build break on his debian system. Does it need to be wrapped in a OPENSSL_NO_SSL2 macro? -- Eric Covener cove...@gmail.com
