From d41fac0208327c136bbc5c6dde52902f62146e67 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Tue, 21 Aug 2012 14:46:55 +0000 Subject: [PATCH] * modules/ssl/ssl_engine_io.c (ssl_io_filter_handshake): Add a wildcard common name match. PR: 53006 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1375584 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ modules/ssl/ssl_engine_io.c | 13 ++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index a059051ce08..9175e00ca40 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Match wildcard SSL certificate names in proxy mode. + PR 53006. [Joe Orton] + *) WinNT MPM: Store pid and generation for each thread in scoreboard to allow tracking of threads from exiting children via mod_status or other such mechanisms. [Jeff Trawick] diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 12c9c7fc2fb..571dd3a9684 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1114,11 +1114,22 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && hostname_note) { const char *hostname; + int match = 0; hostname = ssl_var_lookup(NULL, server, c, NULL, "SSL_CLIENT_S_DN_CN"); apr_table_unset(c->notes, "proxy-request-hostname"); - if (strcasecmp(hostname, hostname_note)) { + + /* Do string match or simplest wildcard match if that + * fails. */ + match = strcasecmp(hostname, hostname_note) == 0; + if (!match && strncmp(hostname, "*.", 2) == 0) { + const char *p = ap_strchr_c(hostname_note, '.'); + + match = p && strcasecmp(p, hostname + 1) == 0; + } + + if (!match) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005) "SSL Proxy: Peer certificate CN mismatch:" " Certificate CN: %s Requested hostname: %s", -- 2.47.2