From: Kaspar Brand <kbrand@apache.org>
Date: Wed, 10 Jul 2013 10:32:28 +0000 (+0000)
Subject: Updated fix for issue which was initially addressed in r1500108:
X-Git-Tag: 2.2.26~53
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7743e9601af679bffaef6680dabcfa4347151389;p=thirdparty%2Fapache%2Fhttpd.git

Updated fix for issue which was initially addressed in r1500108:

mod_ssl: Fix "SNI for backend" when compiled against
OpenSSL without support for SSLv2.

PR 55194.

Followup to r1497466. Does not apply to trunk or 2.4.x.

Proposed by: kbrand
Reviewed by: wrowe, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1501712 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index d39d14a29f9..8e3327cc9d6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.26
 
-
+  *) mod_ssl: Fix compilation error when OpenSSL does not contain
+     support for SSLv2. Problem was introduced in 2.2.25. PR 55194.
+     [Rainer Jung, Kaspar Brand]
 
 Changes with Apache 2.2.25
 
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 13131900fb6..7884a0a121b 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1073,13 +1073,16 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx)
 #ifndef OPENSSL_NO_TLSEXT
         /*
          * Enable SNI for backend requests. Make sure we don't do it for
-         * pure SSLv2 or SSLv3 connections, and also prevent IP addresses
+         * pure SSLv3 connections, and also prevent IP addresses
          * from being included in the SNI extension. (OpenSSL would simply
          * pass them on, but RFC 6066 is quite clear on this: "Literal
          * IPv4 and IPv6 addresses are not permitted".)
+         * We can omit the check for SSL_PROTOCOL_SSLV2 as there is
+         * no way for OpenSSL to screw up things in this case (it's
+         * impossible to include extensions in a pure SSLv2 ClientHello,
+         * protocol-wise).
          */
         if (hostname_note &&
-            sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
             sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
             apr_ipsubnet_create(&ip, hostname_note, NULL,
                                 c->pool) != APR_SUCCESS) {