rpms / httpd

Clone
Source Code
GIT

Blame SOURCES/httpd-2.4.37-add-SNI-support.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-2.4 c8-sig-artwork c8-stream-2.4 c8s-stream-2.4 c9 c9-beta
  1.   95f01242b0bd8b12e92f4da58f2ea84a1bb997ab
  2.   SOURCES
  3.   httpd-2.4.37-add-SNI-support.patch
Blob History Raw
95f012 
commit 4c0e27d7bfbf46f14dfbd5d888e56c64ad8c8de5
95f012 
Author: Tomas Korbar <tkorbar@redhat.com>
95f012 
Date:   Mon Sep 19 13:22:27 2022 +0200
95f012
95f012 
    Backport refactor of SNI support to httpd-2.4.37
95f012
95f012 
diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
95f012 
index a7e0dcd..31ccd32 100644
95f012 
--- a/modules/http2/mod_proxy_http2.c
95f012 
+++ b/modules/http2/mod_proxy_http2.c
95f012 
@@ -591,16 +591,6 @@ run_connect:
95f012 
         }
95f012
95f012 
         if (!ctx->p_conn->data) {
95f012 
-            /* New conection: set a note on the connection what CN is
95f012 
-             * requested and what protocol we want */
95f012 
-            if (ctx->p_conn->ssl_hostname) {
95f012 
-                ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner,
95f012 
-                              "set SNI to %s for (%s)",
95f012 
-                              ctx->p_conn->ssl_hostname,
95f012 
-                              ctx->p_conn->hostname);
95f012 
-                apr_table_setn(ctx->p_conn->connection->notes,
95f012 
-                               "proxy-request-hostname", ctx->p_conn->ssl_hostname);
95f012 
-            }
95f012 
             if (ctx->is_ssl) {
95f012 
                 apr_table_setn(ctx->p_conn->connection->notes,
95f012 
                                "proxy-request-alpn-protos", "h2");
95f012 
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
95f012 
index 1b7bb81..c1c591a 100644
95f012 
--- a/modules/proxy/mod_proxy_http.c
95f012 
+++ b/modules/proxy/mod_proxy_http.c
95f012 
@@ -2111,19 +2111,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
95f012 
             req->origin->keepalive = AP_CONN_CLOSE;
95f012 
         }
95f012
95f012 
-        /*
95f012 
-         * On SSL connections set a note on the connection what CN is
95f012 
-         * requested, such that mod_ssl can check if it is requested to do
95f012 
-         * so.
95f012 
-         *
95f012 
-         * https://github.com/apache/httpd/commit/7d272e2628b4ae05f68cdc74b070707250896a34
95f012 
-         */
95f012 
-        if (backend->ssl_hostname) {
95f012 
-            apr_table_setn(backend->connection->notes,
95f012 
-                           "proxy-request-hostname",
95f012 
-                           backend->ssl_hostname);
95f012 
-        }
95f012 
-
95f012 
         /* Step Four: Send the Request
95f012 
          * On the off-chance that we forced a 100-Continue as a
95f012 
          * kinda HTTP ping test, allow for retries
95f012 
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
95f012 
index ec9a414..805820d 100644
95f012 
--- a/modules/proxy/proxy_util.c
95f012 
+++ b/modules/proxy/proxy_util.c
95f012 
@@ -3261,6 +3261,16 @@ static int proxy_connection_create(const char *proxy_function,
95f012 
                          backend_addr, conn->hostname);
95f012 
             return HTTP_INTERNAL_SERVER_ERROR;
95f012 
         }
95f012 
+        if (conn->ssl_hostname) {
95f012 
+            /* Set a note on the connection about what CN is requested,
95f012 
+             * such that mod_ssl can check if it is requested to do so.
95f012 
+             */
95f012 
+            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, conn->connection,
95f012 
+                          "%s: set SNI to %s for (%s)", proxy_function,
95f012 
+                          conn->ssl_hostname, conn->hostname);
95f012 
+            apr_table_setn(conn->connection->notes, "proxy-request-hostname",
95f012 
+                           conn->ssl_hostname);
95f012 
+        }
95f012 
     }
95f012 
     else {
95f012 
         /* TODO: See if this will break FTP */
95f012 
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
95f012 
index 4e3875a..9b4280c 100644
95f012 
--- a/modules/ssl/ssl_engine_io.c
95f012 
+++ b/modules/ssl/ssl_engine_io.c
95f012 
@@ -1273,7 +1273,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
95f012 
             ((dc->proxy->ssl_check_peer_cn != FALSE) ||
95f012 
              (dc->proxy->ssl_check_peer_name == TRUE)) &&
95f012 
             hostname_note) {
95f012 
-            apr_table_unset(c->notes, "proxy-request-hostname");
95f012 
             if (!cert
95f012 
                 || modssl_X509_match_name(c->pool, cert, hostname_note,
95f012 
                                           TRUE, server) == FALSE) {
95f012 
@@ -1290,7 +1289,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
95f012
95f012 
             hostname = ssl_var_lookup(NULL, server, c, NULL,
95f012 
                                       "SSL_CLIENT_S_DN_CN");
95f012 
-            apr_table_unset(c->notes, "proxy-request-hostname");
95f012
95f012 
             /* Do string match or simplest wildcard match if that
95f012 
              * fails. */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation