On 03.07.2013 19:04, Eric Covener wrote: >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1497466&r1=1497465&r2=1497466&view=diff >> ============================================================================== >> --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original) >> +++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Thu Jun 27 >> 17:24:58 2013 >> @@ -1063,9 +1063,39 @@ static int ssl_io_filter_connect(ssl_fil >> >> server = sslconn->server; >> if (sslconn->is_proxy) { >> - const char *hostname_note; >> - >> +#ifndef OPENSSL_NO_TLSEXT >> + apr_ipsubnet_t *ip; >> +#endif >> + const char *hostname_note = apr_table_get(c->notes, >> + "proxy-request-hostname"); >> sc = mySrvConfig(server); >> + >> +#ifndef OPENSSL_NO_TLSEXT >> + /* >> + * Enable SNI for backend requests. Make sure we don't do it for >> + * pure SSLv2 or SSLv3 connections, and also prevent IP addresses >> + * from being included in the SNI extension. (OpenSSL would simply >> + * pass them on, but RFC 6066 is quite clear on this: "Literal >> + * IPv4 and IPv6 addresses are not permitted".) >> + */ >> + if (hostname_note && >> + sc->proxy->protocol != SSL_PROTOCOL_SSLV2 && > > > A user on IRC reported that the SSL_PROTOCOL_SSLV2 here caused a build > break on his debian system. Does it need to be wrapped in a > OPENSSL_NO_SSL2 macro?
Oups, yes. Proposed http://people.apache.org/~rjung/patches/sni-backend-fix-r1497466-2_2.patch in STATUS right now. Doesn't apply to trunk and 2.4 due to removed SSLv2 support there. Regards, Rainer
