|
 |
f0c688 |
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
|
|
|
f0c688 |
index 15993f1..53ed6f1 100644
|
|
|
f0c688 |
--- a/modules/ssl/ssl_engine_config.c
|
|
|
f0c688 |
+++ b/modules/ssl/ssl_engine_config.c
|
|
|
f0c688 |
@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
|
|
|
f0c688 |
mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
|
|
|
f0c688 |
mc->pPool = pool;
|
|
|
f0c688 |
mc->bFixed = FALSE;
|
|
|
f0c688 |
+ mc->sni_required = FALSE;
|
|
|
f0c688 |
|
|
|
f0c688 |
/*
|
|
|
f0c688 |
* initialize per-module configuration
|
|
|
f0c688 |
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
|
|
|
f0c688 |
index bf1f0e4..a7523de 100644
|
|
|
f0c688 |
--- a/modules/ssl/ssl_engine_init.c
|
|
|
f0c688 |
+++ b/modules/ssl/ssl_engine_init.c
|
|
|
f0c688 |
@@ -409,7 +409,7 @@
|
|
|
f0c688 |
/*
|
|
|
f0c688 |
* Configuration consistency checks
|
|
|
f0c688 |
*/
|
|
|
f0c688 |
- if ((rv = ssl_init_CheckServers(base_server, ptemp)) != APR_SUCCESS) {
|
|
|
f0c688 |
+ if ((rv = ssl_init_CheckServers(mc, base_server, ptemp)) != APR_SUCCESS) {
|
|
|
f0c688 |
return rv;
|
|
|
f0c688 |
}
|
|
|
f0c688 |
|
|
|
f0c688 |
@@ -1475,7 +1475,7 @@
|
|
|
f0c688 |
return APR_SUCCESS;
|
|
|
f0c688 |
}
|
|
|
f0c688 |
|
|
|
f0c688 |
-apr_status_t ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
|
|
|
f0c688 |
+apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
|
|
|
f0c688 |
{
|
|
|
f0c688 |
server_rec *s;
|
|
|
f0c688 |
SSLSrvConfigRec *sc;
|
|
|
f0c688 |
@@ -1557,6 +1557,7 @@
|
|
|
f0c688 |
}
|
|
|
f0c688 |
|
|
|
f0c688 |
if (conflict) {
|
|
|
f0c688 |
+ mc->sni_required = TRUE;
|
|
|
f0c688 |
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
|
|
|
f0c688 |
"Init: Name-based SSL virtual hosts require "
|
|
|
f0c688 |
"an OpenSSL version with support for TLS extensions "
|
|
|
f0c688 |
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
|
|
|
f0c688 |
index bc9e26b..2460f01 100644
|
|
|
f0c688 |
--- a/modules/ssl/ssl_engine_kernel.c
|
|
|
f0c688 |
+++ b/modules/ssl/ssl_engine_kernel.c
|
|
|
f0c688 |
@@ -164,6 +164,7 @@
|
|
|
f0c688 |
server_rec *handshakeserver = sslconn->server;
|
|
|
f0c688 |
SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
|
|
|
f0c688 |
|
|
|
f0c688 |
+ if (myModConfig(r->server)->sni_required) {
|
|
|
f0c688 |
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
|
|
|
f0c688 |
/*
|
|
|
f0c688 |
* The SNI extension supplied a hostname. So don't accept requests
|
|
|
f0c688 |
@@ -206,6 +207,7 @@
|
|
|
f0c688 |
"which is required to access this server.
\n");
|
|
|
f0c688 |
return HTTP_FORBIDDEN;
|
|
|
f0c688 |
}
|
|
|
f0c688 |
+ }
|
|
|
f0c688 |
}
|
|
|
f0c688 |
#endif
|
|
|
f0c688 |
modssl_set_app_data2(ssl, r);
|
|
|
f0c688 |
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
|
|
|
f0c688 |
index 75fc0e3..31dbfa9 100644
|
|
|
f0c688 |
--- a/modules/ssl/ssl_private.h
|
|
|
f0c688 |
+++ b/modules/ssl/ssl_private.h
|
|
|
f0c688 |
@@ -554,6 +554,7 @@ typedef struct {
|
|
|
f0c688 |
apr_global_mutex_t *stapling_cache_mutex;
|
|
|
f0c688 |
apr_global_mutex_t *stapling_refresh_mutex;
|
|
|
f0c688 |
#endif
|
|
|
f0c688 |
+ BOOL sni_required;
|
|
|
f0c688 |
} SSLModConfigRec;
|
|
|
f0c688 |
|
|
|
f0c688 |
/** Structure representing configured filenames for certs and keys for
|
|
|
f0c688 |
@@ -786,7 +787,7 @@
|
|
|
f0c688 |
apr_status_t ssl_init_Engine(server_rec *, apr_pool_t *);
|
|
|
f0c688 |
apr_status_t ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *,
|
|
|
f0c688 |
apr_array_header_t *);
|
|
|
f0c688 |
-apr_status_t ssl_init_CheckServers(server_rec *, apr_pool_t *);
|
|
|
f0c688 |
+apr_status_t ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
|
|
|
f0c688 |
STACK_OF(X509_NAME)
|
|
|
f0c688 |
*ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
|
|
|
f0c688 |
void ssl_init_Child(apr_pool_t *, server_rec *);
|