Merge r1634120 from trunk:

* Use the correct server name for SNI in case the backend SSL connection itself
  is established via a proxy server.

PR: 57139
Submitted by: Szabolcs Gyurko <szabolcs gyurko.org>

Committed by: rpluem
Backported by: ylavic
Reviewed by: ylavic, wrowe, covener, orlikowski

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1777779 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index fb4a949f4144e9c43b76ebd0320c6a0daa8135c1..c3be9dc890a0294df73ff111c1d45b3d77ac2330 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,10 @@ Changes with Apache 2.2.32
      and request headers, to prevent response splitting and cache pollution by
      malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
 
+  *) mod_proxy: Use the correct server name for SNI in case the backend
+     SSL connection itself is established via a proxy server.
+     PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
+
   *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.
      [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
 

diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index 34c411eaba53f348aa41bdc0ac7b87375d00db4c..4b6b8cfa81323f81af68e085af9ae07e9203b9f9 100644 (file)
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -2319,6 +2319,10 @@ ap_proxy_determine_connection(apr_pool_t *p, request_rec *r,
         if (conf->preserve_host) {
             ssl_hostname = r->hostname;
         }
+        else if (conn->forward
+                 && ((forward_info *)(conn->forward))->use_http_connect) {
+            ssl_hostname = ((forward_info *)conn->forward)->target_host;
+        }
         else {
             ssl_hostname = conn->hostname;
         }