From: Joe Orton Date: Tue, 21 Aug 2012 14:46:55 +0000 (+0000) Subject: * modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a X-Git-Tag: 2.5.0-alpha~6389 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d41fac0208327c136bbc5c6dde52902f62146e67;p=thirdparty%2Fapache%2Fhttpd.git * modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a wildcard common name match. PR: 53006 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1375584 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index a059051ce08..9175e00ca40 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Match wildcard SSL certificate names in proxy mode. + PR 53006. [Joe Orton] + *) WinNT MPM: Store pid and generation for each thread in scoreboard to allow tracking of threads from exiting children via mod_status or other such mechanisms. [Jeff Trawick] diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 12c9c7fc2fb..571dd3a9684 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1114,11 +1114,22 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && hostname_note) { const char *hostname; + int match = 0; hostname = ssl_var_lookup(NULL, server, c, NULL, "SSL_CLIENT_S_DN_CN"); apr_table_unset(c->notes, "proxy-request-hostname"); - if (strcasecmp(hostname, hostname_note)) { + + /* Do string match or simplest wildcard match if that + * fails. */ + match = strcasecmp(hostname, hostname_note) == 0; + if (!match && strncmp(hostname, "*.", 2) == 0) { + const char *p = ap_strchr_c(hostname_note, '.'); + + match = p && strcasecmp(p, hostname + 1) == 0; + } + + if (!match) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005) "SSL Proxy: Peer certificate CN mismatch:" " Certificate CN: %s Requested hostname: %s",