From: Yann Ylavic Date: Sat, 7 Jan 2017 13:00:39 +0000 (+0000) Subject: Merge r1634120 from trunk: X-Git-Tag: 2.2.32~12 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=52ef2d8953bd7f0c46abb036318c12cdc96b3dd7;p=thirdparty%2Fapache%2Fhttpd.git Merge r1634120 from trunk: * Use the correct server name for SNI in case the backend SSL connection itself is established via a proxy server. PR: 57139 Submitted by: Szabolcs Gyurko Committed by: rpluem Backported by: ylavic Reviewed by: ylavic, wrowe, covener, orlikowski git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1777779 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index fb4a949f414..c3be9dc890a 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,10 @@ Changes with Apache 2.2.32 and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies. [William Rowe, Stefan Fritsch] + *) mod_proxy: Use the correct server name for SNI in case the backend + SSL connection itself is established via a proxy server. + PR 57139 [Szabolcs Gyurko ] + *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues. [Dominic Scheirlinck , Yann Ylavic] diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c index 34c411eaba5..4b6b8cfa813 100644 --- a/modules/proxy/proxy_util.c +++ b/modules/proxy/proxy_util.c @@ -2319,6 +2319,10 @@ ap_proxy_determine_connection(apr_pool_t *p, request_rec *r, if (conf->preserve_host) { ssl_hostname = r->hostname; } + else if (conn->forward + && ((forward_info *)(conn->forward))->use_http_connect) { + ssl_hostname = ((forward_info *)conn->forward)->target_host; + } else { ssl_hostname = conn->hostname; }