rpms / httpd

Clone
Source Code
GIT

Blame SOURCES/httpd-2.4.37-add-SNI-support.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-2.4 c8-sig-artwork c8-stream-2.4 c8s-stream-2.4 c9 c9-beta
  1.   f33ba3f8b11e89ef0f26a9b289fe1cac7cbb8656
  2.   SOURCES
  3.   httpd-2.4.37-add-SNI-support.patch
Blob History Raw
f33ba3 
commit 4c0e27d7bfbf46f14dfbd5d888e56c64ad8c8de5
f33ba3 
Author: Tomas Korbar <tkorbar@redhat.com>
f33ba3 
Date:   Mon Sep 19 13:22:27 2022 +0200
f33ba3
f33ba3 
    Backport refactor of SNI support to httpd-2.4.37
f33ba3
f33ba3 
diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
f33ba3 
index a7e0dcd..31ccd32 100644
f33ba3 
--- a/modules/http2/mod_proxy_http2.c
f33ba3 
+++ b/modules/http2/mod_proxy_http2.c
f33ba3 
@@ -591,16 +591,6 @@ run_connect:
f33ba3 
         }
f33ba3
f33ba3 
         if (!ctx->p_conn->data) {
f33ba3 
-            /* New conection: set a note on the connection what CN is
f33ba3 
-             * requested and what protocol we want */
f33ba3 
-            if (ctx->p_conn->ssl_hostname) {
f33ba3 
-                ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner,
f33ba3 
-                              "set SNI to %s for (%s)",
f33ba3 
-                              ctx->p_conn->ssl_hostname,
f33ba3 
-                              ctx->p_conn->hostname);
f33ba3 
-                apr_table_setn(ctx->p_conn->connection->notes,
f33ba3 
-                               "proxy-request-hostname", ctx->p_conn->ssl_hostname);
f33ba3 
-            }
f33ba3 
             if (ctx->is_ssl) {
f33ba3 
                 apr_table_setn(ctx->p_conn->connection->notes,
f33ba3 
                                "proxy-request-alpn-protos", "h2");
f33ba3 
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
f33ba3 
index 1b7bb81..c1c591a 100644
f33ba3 
--- a/modules/proxy/mod_proxy_http.c
f33ba3 
+++ b/modules/proxy/mod_proxy_http.c
f33ba3 
@@ -2111,19 +2111,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
f33ba3 
             req->origin->keepalive = AP_CONN_CLOSE;
f33ba3 
         }
f33ba3
f33ba3 
-        /*
f33ba3 
-         * On SSL connections set a note on the connection what CN is
f33ba3 
-         * requested, such that mod_ssl can check if it is requested to do
f33ba3 
-         * so.
f33ba3 
-         *
f33ba3 
-         * https://github.com/apache/httpd/commit/7d272e2628b4ae05f68cdc74b070707250896a34
f33ba3 
-         */
f33ba3 
-        if (backend->ssl_hostname) {
f33ba3 
-            apr_table_setn(backend->connection->notes,
f33ba3 
-                           "proxy-request-hostname",
f33ba3 
-                           backend->ssl_hostname);
f33ba3 
-        }
f33ba3 
-
f33ba3 
         /* Step Four: Send the Request
f33ba3 
          * On the off-chance that we forced a 100-Continue as a
f33ba3 
          * kinda HTTP ping test, allow for retries
f33ba3 
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
f33ba3 
index ec9a414..805820d 100644
f33ba3 
--- a/modules/proxy/proxy_util.c
f33ba3 
+++ b/modules/proxy/proxy_util.c
f33ba3 
@@ -3261,6 +3261,16 @@ static int proxy_connection_create(const char *proxy_function,
f33ba3 
                          backend_addr, conn->hostname);
f33ba3 
             return HTTP_INTERNAL_SERVER_ERROR;
f33ba3 
         }
f33ba3 
+        if (conn->ssl_hostname) {
f33ba3 
+            /* Set a note on the connection about what CN is requested,
f33ba3 
+             * such that mod_ssl can check if it is requested to do so.
f33ba3 
+             */
f33ba3 
+            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, conn->connection,
f33ba3 
+                          "%s: set SNI to %s for (%s)", proxy_function,
f33ba3 
+                          conn->ssl_hostname, conn->hostname);
f33ba3 
+            apr_table_setn(conn->connection->notes, "proxy-request-hostname",
f33ba3 
+                           conn->ssl_hostname);
f33ba3 
+        }
f33ba3 
     }
f33ba3 
     else {
f33ba3 
         /* TODO: See if this will break FTP */
f33ba3 
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
f33ba3 
index 4e3875a..9b4280c 100644
f33ba3 
--- a/modules/ssl/ssl_engine_io.c
f33ba3 
+++ b/modules/ssl/ssl_engine_io.c
f33ba3 
@@ -1273,7 +1273,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
f33ba3 
             ((dc->proxy->ssl_check_peer_cn != FALSE) ||
f33ba3 
              (dc->proxy->ssl_check_peer_name == TRUE)) &&
f33ba3 
             hostname_note) {
f33ba3 
-            apr_table_unset(c->notes, "proxy-request-hostname");
f33ba3 
             if (!cert
f33ba3 
                 || modssl_X509_match_name(c->pool, cert, hostname_note,
f33ba3 
                                           TRUE, server) == FALSE) {
f33ba3 
@@ -1290,7 +1289,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
f33ba3
f33ba3 
             hostname = ssl_var_lookup(NULL, server, c, NULL,
f33ba3 
                                       "SSL_CLIENT_S_DN_CN");
f33ba3 
-            apr_table_unset(c->notes, "proxy-request-hostname");
f33ba3
f33ba3 
             /* Do string match or simplest wildcard match if that
f33ba3 
              * fails. */

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation