rpms / httpd

Clone
Source Code
GIT

Files

  1.   9f6ae98c27599999de68660641e59718b12bf56d
  2.   httpd-2.4.9-sslsninotreq.patch
Blob Blame History Raw 
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 19ba733..28caefd 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
     mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
     mc->pPool = pool;
     mc->bFixed = FALSE;
+    mc->sni_required = FALSE;
 
     /*
      * initialize per-module configuration
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index b1741b8..8e0c4bc 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -244,7 +244,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
     /*
      * Configuration consistency checks
      */
-    if ((rv = ssl_init_CheckServers(base_server, ptemp)) != APR_SUCCESS) {
+    if ((rv = ssl_init_CheckServers(mc, base_server, ptemp)) != APR_SUCCESS) {
         return rv;
     }
 
@@ -1398,7 +1398,7 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s,
     return APR_SUCCESS;
 }
 
-apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
 {
     server_rec *s, *ps;
     SSLSrvConfigRec *sc;
@@ -1480,6 +1480,7 @@ apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
     }
 
     if (conflict) {
+        mc->sni_required = TRUE;
 #ifndef HAVE_TLSEXT
         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
                      "Init: You should not use name-based "
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index c60f0a6..232be86 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -165,6 +165,7 @@ int ssl_hook_ReadReq(request_rec *r)
 #ifdef HAVE_TLSEXT
     if (r->proxyreq != PROXYREQ_PROXY) {
         if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+        if (myModConfig(r->server)->sni_required) {
             char *host, *scope_id;
             apr_port_t port;
             apr_status_t rv;
@@ -216,6 +217,7 @@ int ssl_hook_ReadReq(request_rec *r)
             return HTTP_FORBIDDEN;
         }
     }
+    }
 #endif
     SSL_set_app_data2(ssl, r);
 
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 516d7e6..624bf7a 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -489,6 +489,7 @@ typedef struct {
     ap_socache_instance_t *stapling_cache_context;
     apr_global_mutex_t   *stapling_mutex;
 #endif
+    BOOL            sni_required;
 } SSLModConfigRec;
 
 /** Structure representing configured filenames for certs and keys for
@@ -738,7 +739,7 @@ apr_status_t ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_re
 apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *);
 apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *,
                                       apr_array_header_t *);
-apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
+apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
 STACK_OF(X509_NAME)
             *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
 void         ssl_init_Child(apr_pool_t *, server_rec *);
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.