On 10.07.2013 07:53, William A. Rowe Jr. wrote:
> Color me confused. Where SSLv2 alone is dropped from the stock OpenSSL
> build, 2.2.25 would not compile. The www.a.o/dist/httpd/Announcement
> file calls out this patch as a workaround, which I will publish once
> I have sorted why the binary win32 dbd drivers don't correspond to the
> prior release.
>
> Could you rephrase what you are getting at so we can correct the ANN
> message? http://www.apache.org/dist/httpd/Announcement2.2.txt para 5.
Apologies for having been confusing... let code speak, that should
hopefully make things clear. Here's what I would suggest for
ssl_engine_io.c in 2.2.26:
--- snip ---
#ifndef OPENSSL_NO_TLSEXT
/*
* Enable SNI for backend requests. Make sure we don't do it for
* pure SSLv3 connections, and also prevent IP addresses
* from being included in the SNI extension. (OpenSSL would simply
* pass them on, but RFC 6066 is quite clear on this: "Literal
* IPv4 and IPv6 addresses are not permitted".)
*/
if (hostname_note &&
sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
apr_ipsubnet_create(&ip, hostname_note, NULL,
c->pool) != APR_SUCCESS) {
if (SSL_set_tlsext_host_name(filter_ctx->pssl, hostname_note)) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
"SNI extension for SSL Proxy request set to '%s'",
hostname_note);
} else {
ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c,
"Failed to set SNI extension for SSL Proxy "
"request to '%s'", hostname_note);
ssl_log_ssl_error(APLOG_MARK, APLOG_WARNING, server);
}
}
#endif
--- snip ---
Kaspar
