Merge r1585090 from trunk:

Bring SNI behavior into better conformance with RFC 6066:

- no longer send a warning-level unrecognized_name(112) alert
  when no matching vhost is found (PR 56241)

<not backported to 2.2.x>
- at startup, only issue warnings about IP/port conflicts and name-based
  SSL vhosts when running with an OpenSSL without TLS extension support
  (almost 5 years after SNI was added to 2.2.x, the
  "[...] only work for clients with TLS server name indication support"
  warning feels obsolete)
</not backported to 2.2.x>

Proposed by: kbrand
Reviewed by: ylavic, jorton, wrowe

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1684462 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index ebafa680838aab48cd238fce9331a32f51e28ffe..ef85c992fd798250ca4e17fcddcba7b54cbcc01a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.30
 
+  *) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
+     no longer send warning-level unrecognized_name(112) alerts. PR 56241.
+     [Kaspar Brand]
+
   *) http: Make ap_die() robust against any HTTP error code and not modify
      response status (finally logged) when nothing is to be done. [Yann Ylavic]
 

diff --git a/STATUS b/STATUS
index 93da8bcc9b3a87b57cf3e640858cab9428e70b41..a4432516328dbf04261f176600999d5a7a78a5bf 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -101,15 +101,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * mod_ssl: bring SNI behavior into better conformance with RFC 6066
-     (also addresses PR 56241)
-     trunk patch: https://svn.apache.org/r1585090
-                  (partial, w/o startup warnings changes)
-     2.4.x patch: https://svn.apache.org/r1588424
-                  (backported to 2.4.10)
-     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-no_sni_warning.patch
-     +1: ylavic, jorton, wrowe
-
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index f4bedc8299c2bd36e04db4c8b5626248037d6ec0..7c564556b94a66c84912c7e661026d3561b7a1d2 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -1940,7 +1940,7 @@ void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
 #ifndef OPENSSL_NO_TLSEXT
 /*
  * This callback function is executed when OpenSSL encounters an extended
- * client hello with a server name indication extension ("SNI", cf. RFC 4366).
+ * client hello with a server name indication extension ("SNI", cf. RFC 6066).
  */
 int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
 {
@@ -1962,7 +1962,21 @@ int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
                               "No matching SSL virtual host for servername "
                               "%s found (using default/first virtual host)",
                               servername);
-                return SSL_TLSEXT_ERR_ALERT_WARNING;
+                /*
+                 * RFC 6066 section 3 says "It is NOT RECOMMENDED to send
+                 * a warning-level unrecognized_name(112) alert, because
+                 * the client's behavior in response to warning-level alerts
+                 * is unpredictable."
+                 *
+                 * To maintain backwards compatibility in mod_ssl, we
+                 * no longer send any alert (neither warning- nor fatal-level),
+                 * i.e. we take the second action suggested in RFC 6066:
+                 * "If the server understood the ClientHello extension but
+                 * does not recognize the server name, the server SHOULD take
+                 * one of two actions: either abort the handshake by sending
+                 * a fatal-level unrecognized_name(112) alert or continue
+                 * the handshake."
+                 */
             }
         }
     }