From: Ruediger Pluem Date: Sat, 2 May 2009 07:47:59 +0000 (+0000) Subject: * As proposed by wrowe on list always define SSLStrictSNIVHostCheck, but error X-Git-Tag: 2.3.3~676 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8627001684471dfc18a53a970ef79f24e1740d90;p=thirdparty%2Fapache%2Fhttpd.git * As proposed by wrowe on list always define SSLStrictSNIVHostCheck, but error out if we are not compiled against an SNI capable OpenSSL. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@770907 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index fb5ded244f6..3b49b6a2d75 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -129,10 +129,8 @@ static const command_rec ssl_config_cmds[] = { SSL_CMD_SRV(LogLevelDebugDump, TAKE1, "Include I/O Dump when LogLevel is set to Debug " "([ None (default) | IO (not bytes) | Bytes ])") -#ifndef OPENSSL_NO_TLSEXT SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, "Strict SNI virtual host checking") -#endif /* * Proxy configuration for remote SSL connections diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index 70bbf758cf0..8175640ae2e 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -1446,16 +1446,20 @@ const char *ssl_cmd_SSLProxyCheckPeerCN(cmd_parms *cmd, void *dcfg, int flag) return NULL; } -#ifndef OPENSSL_NO_TLSEXT const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag) { +#ifndef OPENSSL_NO_TLSEXT SSLSrvConfigRec *sc = mySrvConfig(cmd->server); sc->strict_sni_vhost_check = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE; return NULL; -} +#else + return "SSLStrictSNIVHostCheck failed; OpenSSL is not built with support " + "for TLS extensions and SNI indication. Refer to the " + "documentation, and build a compatible version of OpenSSL."; #endif +} void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) { diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 840230a3fce..004967001d3 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -547,9 +547,7 @@ const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLLogLevelDebugDump(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg); -#ifndef OPENSSL_NO_TLSEXT const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag); -#endif const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag); const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);