On Fri, Feb 09, 2018 at 09:40:33PM +0100, Landry Breuil wrote:
> On Fri, Feb 09, 2018 at 07:54:22PM +0100, Landry Breuil wrote:
> > Hi,

I think i found it with some printf-debugging...

If the default vhost has no tls config, and any of the other vhosts has some
non-default tls config (for protocols, ticket, dhe, ciphers..), the
server_match() function will return the default vhost for 's', and then parse.y
inconditionally compares the tls config for s and the current server - as the
default vhost has no tls config, of course they wont match.

My idea would be to compare the tls configs only if the default vhost has a tls
config.. but i'm not sure that's the way to go, since i'm not sure i understand
the rationale about comparing tls configs. Any httpd/ssl experts ? joel, i
think it is this way since r1.79...

With this diff, i can validate a config that would previously error out. I'm not
sure this is the way to go of course.

Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.92
diff -u -r1.92 parse.y
--- parse.y     28 Aug 2017 06:00:05 -0000      1.92
+++ parse.y     9 Feb 2018 22:40:20 -0000
@@ -316,7 +316,8 @@
                                        free(srv);
                                        YYERROR;
                                }
-                               if (server_tls_cmp(s, srv, 0) != 0) {
+                               if ((s->srv_conf.flags & SRVFLAG_TLS) &&
+                                   (server_tls_cmp(s, srv, 0) != 0)) {
                                        yyerror("server \"%s\": tls "
                                            "configuration mismatch on same "
                                            "address/port",

Landry

Reply via email to