From: Jim Jagielski <jim@apache.org>
Date: Thu, 25 Aug 2016 12:53:03 +0000 (+0000)
Subject: Merge r1750854, r1750855, r1750947, r1750955, r1750960 from trunk:
X-Git-Tag: 2.4.24~287
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec1afac81c7fc78a43b19ce4219ae6b761b022a9;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1750854, r1750855, r1750947, r1750955, r1750960 from trunk:

ab: add SNI support when available.

ab: follow up to r1750854: put the -I at the right place for apr_getopt().

ab: follow up to r1750854.
Use SNI when available by default, and invert -I logic to now disable it.

ab: follow up to r1750854: some comments and better naming.

ab: follow up to r1750854: still better naming, and a C89 fix.
Submitted by: ylavic
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1757674 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index ac799bdf9a1..b7c29857981 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.4.24
 
+  *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS
+     connections (unless -I is specified), according to the Host header (if
+     any) or the requested URL's hostname otherwise.  [Yann Ylavic]
+
   *) mod_proxy_fcgi: avoid loops when ProxyErrorOverride is enabled
      and the error documents are proxied. PR 55415. [Luca Toscano]
 
diff --git a/STATUS b/STATUS
index 67390077328..ed1955481ba 100644
--- a/STATUS
+++ b/STATUS
@@ -117,18 +117,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS
-     connections (unless -I is specified), according to the Host header (if
-     any) or the requested URL's hostname otherwise.
-     trunk patch: http://svn.apache.org/r1750854
-                  http://svn.apache.org/r1750855
-                  http://svn.apache.org/r1750947
-                  http://svn.apache.org/r1750955
-                  http://svn.apache.org/r1750960
-     2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-ab_sni.patch
-                  (needed to adapt CHANGES entry since r1750854)
-     +1: ylavic, covener, jim
-
   *) mod_reqtimeout: Fix body timeout disabling for CONNECT requests to avoid
      triggering mod_proxy_connect's AH01018 once the tunnel is established.
      trunk patch: http://svn.apache.org/r1754391
diff --git a/support/ab.c b/support/ab.c
index dc85a9afc79..ac0b54415c0 100644
--- a/support/ab.c
+++ b/support/ab.c
@@ -194,6 +194,9 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
 #ifdef SSL_OP_NO_TLSv1_2
 #define HAVE_TLSV1_X
 #endif
+#if !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name)
+#define HAVE_TLSEXT
+#endif
 #endif
 
 #include <math.h>
@@ -310,7 +313,7 @@ int isproxy = 0;
 apr_interval_time_t aprtimeout = apr_time_from_sec(30); /* timeout value */
 
 /* overrides for ab-generated common headers */
-int opt_host = 0;       /* was an optional "Host:" header specified? */
+const char *opt_host;   /* which optional "Host:" header specified, if any */
 int opt_useragent = 0;  /* was an optional "User-Agent:" header specified? */
 int opt_accept = 0;     /* was an optional "Accept:" header specified? */
  /*
@@ -343,6 +346,10 @@ SSL_CTX *ssl_ctx;
 char *ssl_cipher = NULL;
 char *ssl_info = NULL;
 BIO *bio_out,*bio_err;
+#ifdef HAVE_TLSEXT
+int tls_use_sni = 1;         /* used by default, -I disables it */
+const char *tls_sni = NULL; /* 'opt_host' if any, 'hostname' otherwise */
+#endif
 #endif
 
 apr_time_t start, lasttime, stoptime;
@@ -864,6 +871,11 @@ static void output_results(int sig)
     if (is_ssl && ssl_info) {
         printf("SSL/TLS Protocol:       %s\n", ssl_info);
     }
+#ifdef HAVE_TLSEXT
+    if (is_ssl && tls_sni) {
+        printf("TLS Server Name:        %s\n", tls_sni);
+    }
+#endif
 #endif
     printf("\n");
     printf("Document Path:          %s\n", path);
@@ -1332,6 +1344,11 @@ static void start_connect(struct connection * c)
             BIO_set_callback(bio, ssl_print_cb);
             BIO_set_callback_arg(bio, (void *)bio_err);
         }
+#ifdef HAVE_TLSEXT
+        if (tls_sni) {
+            SSL_set_tlsext_host_name(c->ssl, tls_sni);
+        }
+#endif
     } else {
         c->ssl = NULL;
     }
@@ -1710,6 +1727,18 @@ static void test(void)
         /* Header overridden, no need to add, as it is already in hdrs */
     }
 
+#ifdef HAVE_TLSEXT
+    if (is_ssl && tls_use_sni) {
+        apr_ipsubnet_t *ip;
+        if (((tls_sni = opt_host) || (tls_sni = hostname)) &&
+            (!*tls_sni || apr_ipsubnet_create(&ip, tls_sni, NULL,
+                                               cntxt) == APR_SUCCESS)) {
+            /* IP not allowed in TLS SNI extension */
+            tls_sni = NULL;
+        }
+    }
+#endif
+
     if (!opt_useragent) {
         /* User-Agent: header not overridden, add default value to hdrs */
         hdrs = apr_pstrcat(cntxt, hdrs, "User-Agent: ApacheBench/", AP_AB_BASEREVISION, "\r\n", NULL);
@@ -2009,6 +2038,9 @@ static void usage(const char *progname)
 #define TLS1_X_HELP_MSG ""
 #endif
 
+#ifdef HAVE_TLSEXT
+    fprintf(stderr, "    -I              Disable TLS Server Name Indication (SNI) extension\n");
+#endif
     fprintf(stderr, "    -Z ciphersuite  Specify SSL/TLS cipher suite (See openssl ciphers)\n");
     fprintf(stderr, "    -f protocol     Specify SSL/TLS protocol\n");
     fprintf(stderr, "                    (" SSL2_HELP_MSG SSL3_HELP_MSG "TLS1" TLS1_X_HELP_MSG " or ALL)\n");
@@ -2172,7 +2204,7 @@ int main(int argc, const char * const argv[])
     myhost = NULL; /* 0.0.0.0 or :: */
 
     apr_getopt_init(&opt, cntxt, argc, argv);
-    while ((status = apr_getopt(opt, "n:c:t:s:b:T:p:u:v:lrkVhwix:y:z:C:H:P:A:g:X:de:SqB:m:"
+    while ((status = apr_getopt(opt, "n:c:t:s:b:T:p:u:v:lrkVhwiIx:y:z:C:H:P:A:g:X:de:SqB:m:"
 #ifdef USE_SSL
             "Z:f:"
 #endif
@@ -2291,7 +2323,16 @@ int main(int argc, const char * const argv[])
                  * allow override of some of the common headers that ab adds
                  */
                 if (strncasecmp(opt_arg, "Host:", 5) == 0) {
-                    opt_host = 1;
+                    char *host;
+                    apr_size_t len;
+                    opt_arg += 5;
+                    while (apr_isspace(*opt_arg))
+                        opt_arg++;
+                    len = strlen(opt_arg);
+                    host = strdup(opt_arg);
+                    while (len && apr_isspace(host[len-1]))
+                        host[--len] = '\0';
+                    opt_host = host;
                 } else if (strncasecmp(opt_arg, "Accept:", 7) == 0) {
                     opt_accept = 1;
                 } else if (strncasecmp(opt_arg, "User-Agent:", 11) == 0) {
@@ -2355,10 +2396,16 @@ int main(int argc, const char * const argv[])
 #ifndef OPENSSL_NO_SSL2
                 } else if (strncasecmp(opt_arg, "SSL2", 4) == 0) {
                     meth = SSLv2_client_method();
+#ifdef HAVE_TLSEXT
+                    tls_use_sni = 0;
+#endif
 #endif
 #ifndef OPENSSL_NO_SSL3
                 } else if (strncasecmp(opt_arg, "SSL3", 4) == 0) {
                     meth = SSLv3_client_method();
+#ifdef HAVE_TLSEXT
+                    tls_use_sni = 0;
+#endif
 #endif
 #ifdef HAVE_TLSV1_X
                 } else if (strncasecmp(opt_arg, "TLS1.1", 6) == 0) {
@@ -2370,6 +2417,11 @@ int main(int argc, const char * const argv[])
                     meth = TLSv1_client_method();
                 }
                 break;
+#ifdef HAVE_TLSEXT
+            case 'I':
+                tls_use_sni = 0;
+                break;
+#endif
 #endif
         }
     }