git.ipfire.org Git - thirdparty/apache/httpd.git/commit

author	Yann Ylavic <ylavic@apache.org>
	Sun, 20 Oct 2019 10:50:33 +0000 (10:50 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Sun, 20 Oct 2019 10:50:33 +0000 (10:50 +0000)
commit	076e28399c7336f2b287b102a6e4e40934f2057d
tree	bf6f11fe94075cd47cf4c6a67485d0ae43ec7a01	tree
parent	82b7e77b826ce6a17cf98577b9969b88e09861fd	commit \| diff

mod_ssl: negotiate the TLS protocol version per name based vhost configuration.

By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at
the earliest connection stage, we can switch the SSL_CTX of the SSL connection
early enough for OpenSSL to take into account the protocol configuration of the
vhost.

In other words:
SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)
followed by:
SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))
works as expected at this stage (while the same from the SNI callback is
ignored by/due to OpenSSL's state machine).

Extracting the SNI (to select the relevant vhost) in the ClientHello callback
is not as easy as calling SSL_get_servername() though, we have to work with
the raw TLS extensions helpers provided by OpenSSL. I stole this code from a
test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in
test/handshake_helper.c).

We can then call init_vhost() as with the SNI callback (in use only for OpenSSL
versions earlier than 1.1.1 now), and pass it the extracted SNI.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1868645 13f79535-47bb-0310-9956-ffa450edef68

modules/ssl/ssl_engine_init.c		diff \| blob \| blame \| history
modules/ssl/ssl_engine_kernel.c		diff \| blob \| blame \| history
modules/ssl/ssl_private.h		diff \| blob \| blame \| history