On 05.07.2013 21:25, [email protected] wrote: > Author: rjung > Date: Fri Jul 5 19:25:28 2013 > New Revision: 1500108 > > URL: http://svn.apache.org/r1500108 > Log: > mod_ssl: Fix "SNI for backend" when compiled against > OpenSSL without support for SSLv2. > > PR 55194. > > Followup to r1497466. Does not apply to trunk or 2.4.x.
I missed the review of r1497466 (i.e. the backport of r1175416) in time, sorry... however, note that for 2.2.26, in the following code: > Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1500108&r1=1500107&r2=1500108&view=diff > ============================================================================== > --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original) > +++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Fri Jul 5 > 19:25:28 2013 > @@ -1079,7 +1079,9 @@ static int ssl_io_filter_connect(ssl_fil > * IPv4 and IPv6 addresses are not permitted".) > */ > if (hostname_note && > +#ifndef OPENSSL_NO_SSL2 > sc->proxy->protocol != SSL_PROTOCOL_SSLV2 && > +#endif > sc->proxy->protocol != SSL_PROTOCOL_SSLV3 && > apr_ipsubnet_create(&ip, hostname_note, NULL, > c->pool) != APR_SUCCESS) { > > it might make more sense to completely drop the #ifndef block, since OpenSSL itself will never add TLS extensions for SSLv2 connections (that's the reason why even in trunk/2.4 we only check for SSL_PROTOCOL_SSLV3). Furthermore, with OpenSSL 1.0.0 and later, or 0.9.8m or later, the glitch of including an SNI extension in an SSLv3 ClientHello has been fixed in OpenSSL itself, so it's even debatable if we still need to guard against this (0.9.8m and 1.0.0 were released in February/March 2010). See http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1629 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=18f8258a87bd3b4099f5ab6f788c7bc2bfa00f9c http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5d577d7eb0f6cd2432b60e6abececc6f7c9bbb79 Kaspar
