+1 on the patch for backporting. Regards
Rüdiger > -----Original Message----- > From: Kaspar Brand [mailto: > Sent: Mittwoch, 10. Juli 2013 10:45 > To: [email protected] > Cc: William A. Rowe Jr. > Subject: Re: svn commit: r1500108 - in /httpd/httpd/branches/2.2.x: > CHANGES STATUS modules/ssl/ssl_engine_io.c > > On 10.07.2013 10:32, William A. Rowe Jr. wrote: > > If you frame this as a fast vote for adoption, and correct the text > > in > https://dist.apache.org/repos/dist/release/httpd/Announcement2.2.txt > > as well as the .html version, I'll post that in my morning (which is > > still stuck on PDT from my travels). > > Ok, so after some further offlist discussion, here's the proposal for > 2.2.26, and the patch to be referenced in the 2.2.25 announcement: > > - backout r1500108 > > - apply the attached patch for fixing PR55194 > > I think we only need one more +1 here on @dev to apply this to 2.2.x. > > Kaspar > > > For the sake of reference, here are some more bits about the gory > details: > > > Let me explain the purpose of the > > if block with these conditions: > > > > if (hostname_note && > > sc->proxy->protocol != SSL_PROTOCOL_SSLV3 && > > apr_ipsubnet_create(&ip, hostname_note, NULL, > > c->pool) != APR_SUCCESS) { > > > > The second and the third condition are only needed for SSLv3 and TLS > > handshakes, as only in this case, OpenSSL will call > > ssl/t1_lib.c:ssl_add_clienthello_tlsext()... which is the place where > a > > potentially improper SNI extension could be added. > > > > In 2.2.x, if sc->proxy->protocol is equal to SSL_PROTOCOL_SSLV2 and > > we're omitting the "sc->proxy->protocol != SSL_PROTOCOL_SSLV2" check, > > then SSL_set_tlsext_host_name() will be called, yes, but the name set > in > > OpenSSL's respectve SSL struct is simply ignored later on, as > > ssl/s2_clnt.c - which implements SSLv2_client_method() and > ssl2_connect > > - never calls ssl_add_clienthello_tlsext(). Compare this to > > SSLv3_client_method(), TLSv1_client_method() etc., which do call > > ssl_add_clienthello_tlsext(). > > > > Or, looking at it from the spec point of view: in a pure SSLv2 > > connection (sc->proxy->protocol == SSL_PROTOCOL_SSLV2), there isn't > any > > way for OpenSSL to put any extensions into the ClientHello - the > > original SSL 2.0 specification simply doesn't provide any such field > in > > its protocol definition.
