From: Jim Jagielski <jim@apache.org>
Date: Tue, 4 Sep 2007 11:44:14 +0000 (+0000)
Subject: Merge r378487 from trunk:
X-Git-Tag: 2.2.6~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d6baab3ce0043fe07ee8d6d63bf57a01d957231;p=thirdparty%2Fapache%2Fhttpd.git

Merge r378487 from trunk:

* modules/ssl/ssl_engine_init.c (ssl_check_public_cert): Fix spurious
hostname-mismatch warning for valid wildcard certs.

PR: 37911
Submitted by: Nick Burch <nick torchbox.com>

Submitted by: jorton
Reviewed by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@572630 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 8578e2424b1..b4b9de04962 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.2.6
 
+  *) mod_ssl: Fix spurious hostname mismatch warning for valid
+     wildcard certificates.  PR 37911.  [Nick Burch <nick torchbox.com>]
+
   *) mod_mem_cache: Increase the minimum and default value for
      MCacheMinObjectSize from 0 to 1, as a MCacheMinObjectSize of 0 does not
      make sense and leads to a division by zero.  PR 40576.
diff --git a/STATUS b/STATUS
index e5342223178..21cbcd261f6 100644
--- a/STATUS
+++ b/STATUS
@@ -80,14 +80,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
 
-    * mod_ssl: Fix spurious hostname-mismatch warning for valid wildcard certs.
-      PR 37911.
-      Trunk version of patch:
-         http://svn.apache.org/viewcvs.cgi?rev=378487&view=rev
-      Backport version for 2.2.x of patch:
-         Trunk version of patch works
-      +1: rpluem, fielding, jim
-
     * mod_info: mod_info outputs invalid XHTML 1.0 Transitional.
       PR 42847.
       Trunk version of patch:
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 5046989b849..ff2a4946308 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -826,14 +826,14 @@ static void ssl_check_public_cert(server_rec *s,
     if (SSL_X509_getCN(ptemp, cert, &cn)) {
         int fnm_flags = APR_FNM_PERIOD|APR_FNM_CASE_BLIND;
 
-        if (apr_fnmatch_test(cn) &&
-            (apr_fnmatch(cn, s->server_hostname,
-                         fnm_flags) == APR_FNM_NOMATCH))
-        {
-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
-                         "%s server certificate wildcard CommonName (CN) `%s' "
-                         "does NOT match server name!?",
-                         ssl_asn1_keystr(type), cn);
+        if (apr_fnmatch_test(cn)) {
+            if (apr_fnmatch(cn, s->server_hostname,
+                            fnm_flags) == APR_FNM_NOMATCH) {
+                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,
+                             "%s server certificate wildcard CommonName "
+                             "(CN) `%s' does NOT match server name!?",
+                             ssl_asn1_keystr(type), cn);
+            }
         }
         else if (strNE(s->server_hostname, cn)) {
             ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s,