On Wed, 10 Jul 2013 07:41:35 +0200 Kaspar Brand <[email protected]> wrote:
> On 05.07.2013 21:25, [email protected] wrote: > > Author: rjung > > Date: Fri Jul 5 19:25:28 2013 > > New Revision: 1500108 > > > > URL: http://svn.apache.org/r1500108 > > Log: > > mod_ssl: Fix "SNI for backend" when compiled against > > OpenSSL without support for SSLv2. > > > > PR 55194. > > > > Followup to r1497466. Does not apply to trunk or 2.4.x. > > I missed the review of r1497466 (i.e. the backport of r1175416) in > time, sorry... however, note that for 2.2.26, in the following code: > > > > Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c > > URL: > > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1500108&r1=1500107&r2=1500108&view=diff > > ============================================================================== > > --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c > > (original) +++ > > httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Fri Jul 5 > > 19:25:28 2013 @@ -1079,7 +1079,9 @@ static int > > ssl_io_filter_connect(ssl_fil > > * IPv4 and IPv6 addresses are not permitted".) > > */ > > if (hostname_note && > > +#ifndef OPENSSL_NO_SSL2 > > sc->proxy->protocol != SSL_PROTOCOL_SSLV2 && > > +#endif > > sc->proxy->protocol != SSL_PROTOCOL_SSLV3 && > > apr_ipsubnet_create(&ip, hostname_note, NULL, > > c->pool) != APR_SUCCESS) { > > > > > > it might make more sense to completely drop the #ifndef block, since > OpenSSL itself will never add TLS extensions for SSLv2 > connections (that's the reason why even in trunk/2.4 we only check for > SSL_PROTOCOL_SSLV3). > > Furthermore, with OpenSSL 1.0.0 and later, or 0.9.8m or later, the > glitch of including an SNI extension in an SSLv3 ClientHello has been > fixed in OpenSSL itself, so it's even debatable if we still need to > guard against this (0.9.8m and 1.0.0 were released in February/March > 2010). See > > http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=1629 > > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=18f8258a87bd3b4099f5ab6f788c7bc2bfa00f9c > > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5d577d7eb0f6cd2432b60e6abececc6f7c9bbb79 > > Kaspar Color me confused. Where SSLv2 alone is dropped from the stock OpenSSL build, 2.2.25 would not compile. The www.a.o/dist/httpd/Announcement file calls out this patch as a workaround, which I will publish once I have sorted why the binary win32 dbd drivers don't correspond to the prior release. Could you rephrase what you are getting at so we can correct the ANN message? http://www.apache.org/dist/httpd/Announcement2.2.txt para 5. Bill
