On Fri, Feb 09, 2018 at 09:40:33PM +0100, Landry Breuil wrote:
> On Fri, Feb 09, 2018 at 07:54:22PM +0100, Landry Breuil wrote:
> > Hi,
I think i found it with some printf-debugging...
If the default vhost has no tls config, and any of the other vhosts has some
non-default tls config (for protocols, ticket, dhe, ciphers..), the
server_match() function will return the default vhost for 's', and then parse.y
inconditionally compares the tls config for s and the current server - as the
default vhost has no tls config, of course they wont match.
My idea would be to compare the tls configs only if the default vhost has a tls
config.. but i'm not sure that's the way to go, since i'm not sure i understand
the rationale about comparing tls configs. Any httpd/ssl experts ? joel, i
think it is this way since r1.79...
With this diff, i can validate a config that would previously error out. I'm not
sure this is the way to go of course.
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.92
diff -u -r1.92 parse.y
--- parse.y 28 Aug 2017 06:00:05 -0000 1.92
+++ parse.y 9 Feb 2018 22:40:20 -0000
@@ -316,7 +316,8 @@
free(srv);
YYERROR;
}
- if (server_tls_cmp(s, srv, 0) != 0) {
+ if ((s->srv_conf.flags & SRVFLAG_TLS) &&
+ (server_tls_cmp(s, srv, 0) != 0)) {
yyerror("server \"%s\": tls "
"configuration mismatch on same "
"address/port",
Landry
