From: Jeff Trawick Date: Sat, 12 Jul 2014 13:26:42 +0000 (+0000) Subject: Perform SNI checks only on the initial request. In particular, X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44ff5555b3f13ef673968c2f36e095ba1d144b75;p=thirdparty%2Fapache%2Fhttpd.git Perform SNI checks only on the initial request. In particular, if these checks detect a problem, the checks shouldn't return an error again when processing an ErrorDocument redirect for the original problem. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1609914 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index ea97bd1f341..9f4c6ecf948 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Fix issue with redirects to error documents when handling + SNI errors. [Jeff Trawick] + *) mod_authnz_ldap: Return LDAP connections to the pool before the handler is run, instead of waiting until the end of the request. [Eric Covener] diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 0207947d9c2..ea1298a5b8f 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -164,7 +164,13 @@ int ssl_hook_ReadReq(request_rec *r) return DECLINED; } #ifdef HAVE_TLSEXT - if (r->proxyreq != PROXYREQ_PROXY) { + /* + * Perform SNI checks only on the initial request. In particular, + * if these checks detect a problem, the checks shouldn't return an + * error again when processing an ErrorDocument redirect for the + * original problem. + */ + if (r->proxyreq != PROXYREQ_PROXY && ap_is_initial_req(r)) { if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { char *host, *scope_id; apr_port_t port;