From: William A. Rowe Jr Date: Thu, 27 Jun 2013 17:24:58 +0000 (+0000) Subject: mod_ssl/proxy: enable the SNI extension for backend TLS connections X-Git-Tag: 2.2.25~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e886db17b3fcaae9077b1620294769feca4aeb9;p=thirdparty%2Fapache%2Fhttpd.git mod_ssl/proxy: enable the SNI extension for backend TLS connections Backports: r1175416 Submitted by: kbrand Reviewed by: wrowe, rjung, trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1497466 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 91f544ba7ce..c7b2c6c4b16 100644 --- a/CHANGES +++ b/CHANGES @@ -17,12 +17,12 @@ Changes with Apache 2.2.25 *) mod_setenvif: Log error on substitution overflow. [Stefan Fritsch] + *) mod_ssl/proxy: enable the SNI extension for backend TLS connections + [Kaspar Brand] + *) mod_ssl: Quiet FIPS mode weak keys disabled and FIPS not selected emits in the error log to debug level. [William Rowe] - *) htdigest: Fix buffer overflow when reading digest password file - with very long lines. PR 54893. [Rainer Jung] - *) mod_ssl: Catch missing, mismatched or encrypted client cert/key pairs with SSLProxyMachineCertificateFile/Path directives. PR 52212, PR 54698. [Keith Burdis , Joe Orton, Kaspar Brand] @@ -31,6 +31,9 @@ Changes with Apache 2.2.25 admin to configure an IO timeout as an error in the balancer. [Daniel Ruggeri] + *) htdigest: Fix buffer overflow when reading digest password file + with very long lines. PR 54893. [Rainer Jung] + *) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. [Ben Reser diff --git a/STATUS b/STATUS index 320464742d6..716833afb08 100644 --- a/STATUS +++ b/STATUS @@ -96,11 +96,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ssl/proxy: enable the SNI extension for backend TLS connections - [Kaspar Brand] - 2.2.x patch: http://people.apache.org/~rjung/patches/r1175416-2.0-v2.patch - +1: wrowe, rjung, trawick - * mod_proxy_http: Use the same hostname for SNI as for the HTTP request when forwarding to SSL backends. PR: 53134 diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 7bba787e588..13131900fb6 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1063,9 +1063,39 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx) server = sslconn->server; if (sslconn->is_proxy) { - const char *hostname_note; - +#ifndef OPENSSL_NO_TLSEXT + apr_ipsubnet_t *ip; +#endif + const char *hostname_note = apr_table_get(c->notes, + "proxy-request-hostname"); sc = mySrvConfig(server); + +#ifndef OPENSSL_NO_TLSEXT + /* + * Enable SNI for backend requests. Make sure we don't do it for + * pure SSLv2 or SSLv3 connections, and also prevent IP addresses + * from being included in the SNI extension. (OpenSSL would simply + * pass them on, but RFC 6066 is quite clear on this: "Literal + * IPv4 and IPv6 addresses are not permitted".) + */ + if (hostname_note && + sc->proxy->protocol != SSL_PROTOCOL_SSLV2 && + sc->proxy->protocol != SSL_PROTOCOL_SSLV3 && + apr_ipsubnet_create(&ip, hostname_note, NULL, + c->pool) != APR_SUCCESS) { + if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, + "SNI extension for SSL Proxy request set to '%s'", + hostname_note); + } else { + ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, + "Failed to set SNI extension for SSL Proxy " + "request to '%s'", hostname_note); + ssl_log_ssl_error(APLOG_MARK, APLOG_WARNING, server); + } + } +#endif + if ((n = SSL_connect(filter_ctx->pssl)) <= 0) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, "SSL Proxy connect failed"); @@ -1096,8 +1126,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx) X509_free(cert); } if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE) - && ((hostname_note = - apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) { + && hostname_note) { const char *hostname; hostname = ssl_var_lookup(NULL, server, c, NULL,