Re: svn commit: r757373 - /httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Mon, 23 Mar 2009 03:57:13 -0700 

On Mon, Mar 23, 2009 at 11:51 AM,  <[email protected]> wrote:
> Author: rpluem
> Date: Mon Mar 23 10:51:00 2009
> New Revision: 757373
>
> URL: http://svn.apache.org/viewvc?rev=757373&view=rev
> Log:
> * If the SNI extension supplied a hostname. So don't accept requests with
>  either no hostname or a different hostname.
>
> Modified:
>    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
>
> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=757373&r1=757372&r2=757373&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Mon Mar 23 10:51:00 2009
> @@ -160,11 +160,31 @@
>         return DECLINED;
>     }
>  #ifndef OPENSSL_NO_TLSEXT
> -    if (!r->hostname &&
> -        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
> -        /* Use the SNI extension as the hostname if no Host: header was sent 
> */
> -        r->hostname = apr_pstrdup(r->pool, servername);
> -        ap_update_vhost_from_headers(r);
> +    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
> +        char *host, *scope_id;
> +        apr_port_t port;
> +        apr_status_t rv;
> +
> +        /*
> +         * The SNI extension supplied a hostname. So don't accept requests
> +         * with either no hostname or a different hostname.
> +         */
> +        if (!r->hostname) {
> +            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
> +                        "Hostname %s provided via SNI, but no hostname"
> +                        " provided in HTTP request", servername);
> +            return HTTP_BAD_REQUEST;
> +        }
> +        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, 
> r->pool);
> +        if (rv != APR_SUCCESS || scope_id) {
> +            return HTTP_BAD_REQUEST;
> +        }
> +        if (strcmp(host, servername)) {
> +            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
> +                        "Hostname %s provided via SNI and hostname %s 
> provided"
> +                        " via HTTP are different", servername, host);
> +            return HTTP_BAD_REQUEST;
> +        }

shouldn't this be ap_strcasecmp_match instead of strcmp?

Thanks,
Paul

Reply via email to