From 014eb024a9c290ee6bb4d53102adb60d0007d344 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Tue, 9 Jun 2015 16:09:28 +0000 Subject: [PATCH] Merge r1585090 from trunk: Bring SNI behavior into better conformance with RFC 6066: - no longer send a warning-level unrecognized_name(112) alert when no matching vhost is found (PR 56241) - at startup, only issue warnings about IP/port conflicts and name-based SSL vhosts when running with an OpenSSL without TLS extension support (almost 5 years after SNI was added to 2.2.x, the "[...] only work for clients with TLS server name indication support" warning feels obsolete) Proposed by: kbrand Reviewed by: ylavic, jorton, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1684462 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 4 ++++ STATUS | 9 --------- modules/ssl/ssl_engine_kernel.c | 18 ++++++++++++++++-- 3 files changed, 20 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index ebafa680838..ef85c992fd7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.30 + *) mod_ssl: bring SNI behavior into better conformance with RFC 6066: + no longer send warning-level unrecognized_name(112) alerts. PR 56241. + [Kaspar Brand] + *) http: Make ap_die() robust against any HTTP error code and not modify response status (finally logged) when nothing is to be done. [Yann Ylavic] diff --git a/STATUS b/STATUS index 93da8bcc9b3..a4432516328 100644 --- a/STATUS +++ b/STATUS @@ -101,15 +101,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - * mod_ssl: bring SNI behavior into better conformance with RFC 6066 - (also addresses PR 56241) - trunk patch: https://svn.apache.org/r1585090 - (partial, w/o startup warnings changes) - 2.4.x patch: https://svn.apache.org/r1588424 - (backported to 2.4.10) - 2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-no_sni_warning.patch - +1: ylavic, jorton, wrowe - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index f4bedc8299c..7c564556b94 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -1940,7 +1940,7 @@ void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) #ifndef OPENSSL_NO_TLSEXT /* * This callback function is executed when OpenSSL encounters an extended - * client hello with a server name indication extension ("SNI", cf. RFC 4366). + * client hello with a server name indication extension ("SNI", cf. RFC 6066). */ int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) { @@ -1962,7 +1962,21 @@ int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) "No matching SSL virtual host for servername " "%s found (using default/first virtual host)", servername); - return SSL_TLSEXT_ERR_ALERT_WARNING; + /* + * RFC 6066 section 3 says "It is NOT RECOMMENDED to send + * a warning-level unrecognized_name(112) alert, because + * the client's behavior in response to warning-level alerts + * is unpredictable." + * + * To maintain backwards compatibility in mod_ssl, we + * no longer send any alert (neither warning- nor fatal-level), + * i.e. we take the second action suggested in RFC 6066: + * "If the server understood the ClientHello extension but + * does not recognize the server name, the server SHOULD take + * one of two actions: either abort the handshake by sending + * a fatal-level unrecognized_name(112) alert or continue + * the handshake." + */ } } } -- 2.47.2