*) mod_setenvif: Log error on substitution overflow.
[Stefan Fritsch]
+ *) mod_ssl/proxy: enable the SNI extension for backend TLS connections
+ [Kaspar Brand]
+
*) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits
in the error log to debug level. [William Rowe]
- *) htdigest: Fix buffer overflow when reading digest password file
- with very long lines. PR 54893. [Rainer Jung]
-
*) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs
with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698.
[Keith Burdis <keith burdis.org>, Joe Orton, Kaspar Brand]
admin to configure an IO timeout as an error in the balancer.
[Daniel Ruggeri]
+ *) htdigest: Fix buffer overflow when reading digest password file
+ with very long lines. PR 54893. [Rainer Jung]
+
*) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
the source href (sent as part of the request body as XML) pointing to a
URI that is not configured for DAV will trigger a segfault. [Ben Reser
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl/proxy: enable the SNI extension for backend TLS connections
- [Kaspar Brand]
- 2.2.x patch: http://people.apache.org/~rjung/patches/r1175416-2.0-v2.patch
- +1: wrowe, rjung, trawick
-
* mod_proxy_http: Use the same hostname for SNI as for the HTTP request when
forwarding to SSL backends.
PR: 53134
server = sslconn->server;
if (sslconn->is_proxy) {
- const char *hostname_note;
-
+#ifndef OPENSSL_NO_TLSEXT
+ apr_ipsubnet_t *ip;
+#endif
+ const char *hostname_note = apr_table_get(c->notes,
+ "proxy-request-hostname");
sc = mySrvConfig(server);
+
+#ifndef OPENSSL_NO_TLSEXT
+ /*
+ * Enable SNI for backend requests. Make sure we don't do it for
+ * pure SSLv2 or SSLv3 connections, and also prevent IP addresses
+ * from being included in the SNI extension. (OpenSSL would simply
+ * pass them on, but RFC 6066 is quite clear on this: "Literal
+ * IPv4 and IPv6 addresses are not permitted".)
+ */
+ if (hostname_note &&
+ sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
+ sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
+ apr_ipsubnet_create(&ip, hostname_note, NULL,
+ c->pool) != APR_SUCCESS) {
+ if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
+ "SNI extension for SSL Proxy request set to '%s'",
+ hostname_note);
+ } else {
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c,
+ "Failed to set SNI extension for SSL Proxy "
+ "request to '%s'", hostname_note);
+ ssl_log_ssl_error(APLOG_MARK, APLOG_WARNING, server);
+ }
+ }
+#endif
+
if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
"SSL Proxy connect failed");
X509_free(cert);
}
if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE)
- && ((hostname_note =
- apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) {
+ && hostname_note) {
const char *hostname;
hostname = ssl_var_lookup(NULL, server, c, NULL,
projects / thirdparty / apache / httpd.git / commitdiff
