RE: ssl_die() and pool cleanup

[Falco Schwarz]

----------------------------------------
> Date: Sat, 23 Nov 2013 13:24:53 +0100
> From: httpd-dev.2...@velox.ch
> To: dev@httpd.apache.org
> Subject: Re: ssl_die() and pool cleanup
>
> Thanks Jeff and Yann for your reviews. Fixed all items as suggested,
> except for these ones:
>
>> The various calls to ssl_server_import_cert() in ssl_init_server_certs()
>> need different rc checking than before. (Now ssl_server_import_cert() can
>> return a fatal error instead of just a boolean.)
>>
>> (same for ssl_server_import_key())
>
> Do you suggest that we should make these checks more strict? The current
> code is just checking if at least one certificate/key was configured
> successfully. My change so far was the following:
>
> - if (!(have_rsa || have_dsa
> + if ((have_rsa != APR_SUCCESS) && (have_dsa != APR_SUCCESS)
> #ifdef HAVE_ECC
> - || have_ecc
> + && (have_ecc != APR_SUCCESS)
> #endif
> -)) {
> +) {
> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01910)
> "Oops, no " KEYTYPES " server certificate found "
> "for '%s:%d'?!", s->server_hostname, s->port);
> - ssl_die(s);
> + return ssl_die(s);
>
> (I have simply rewritten the condition with De Morgan's law)
>
> I'm fine with extending these checks (i.e., fail if any of the
> ssl_server_import_cert or ssl_server_import_key calls fails), but this
> can result in refusing to load existing configs.

Wouldn't that essentially remove the ability to configure a _default_:443 
VirtualHost with an non-existing Servername, whose only purpose is to serve a 
certificate for all other VirtualHosts?

e.g.

<VirtualHost _default_:443>
    ServerName nonexistant.domain
    SSLEngine On
    SSLCertificateFile       conf/ssl/www.example.com.cer
    SSLCertificateKeyFile    conf/ssl/www.example.com.key
    SSLCertificateChainFile  conf/ssl/www.example.com.ca
</VirtualHost>

<VirtualHost *:80 *:443>
    ServerName  www.example.com

    [...]
</VirtualHost>

- If one sets www.example.com as ServerName of the _default_ VirtualHost, then 
all requests are served by this vhost instead of the wildcard one.

- If mod_ssl would refuse to start the server because the _default_ vhost 
ServerName does not match a certificate, then you would have to use a wildcard 
certificate to make use of a _default_ vhost.


So, if the sanity check is skipped for the _default_ host, or there is a better 
way to set the ServerName of the _default_ host, which I don't know yet, then 
this wouldn't be affected.