On Thu, Jan 22, 2015 at 4:45 PM, Eric Covener <[email protected]> wrote:
> On Thu, Jan 22, 2015 at 8:27 AM, Michael Kaufmann
> <[email protected]> wrote:
>> Hi,
>>
>> It would be great if somebody finds time to review the proposed patch for
>> bug 57100 (and maybe commit it to trunk). Any feedback would be greatly
>> appreciated.
>>
>> -> https://issues.apache.org/bugzilla/show_bug.cgi?id=57100
>
> Thanks, committed to trunk and proposed for 2.4.x.
I was about to propose a different patch which maybe is less intrusive
(does not require a new SSL_PROTOCOL_UNSET defined).
It simply initializes the base server's protocol with SSL_PROTOCOL_ALL
(as before) but the vhosts ones with SSL_PROTOCOL_NONE.
Then we can use cfgMerge(protocol, SSL_PROTOCOL_NONE) as proposed by Michael.
Something like (based on code before r1653906) :
Index: modules/ssl/ssl_engine_config.c
===================================================================
--- modules/ssl/ssl_engine_config.c (revision 1653011)
+++ modules/ssl/ssl_engine_config.c (working copy)
@@ -97,7 +97,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
** _________________________________________________________________
*/
-static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
+static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p, int vh)
{
mctx->sc = NULL; /* set during module init */
@@ -110,7 +110,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
mctx->ticket_key = NULL;
#endif
- mctx->protocol = SSL_PROTOCOL_ALL;
+ mctx->protocol = vh ? SSL_PROTOCOL_NONE : SSL_PROTOCOL_ALL;
mctx->pphrase_dialog_type = SSL_PPTYPE_UNSET;
mctx->pphrase_dialog_path = NULL;
@@ -161,14 +161,13 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
#endif
}
-static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
- apr_pool_t *p)
+static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc, apr_pool_t *p, int vh)
{
modssl_ctx_t *mctx;
mctx = sc->proxy = apr_palloc(p, sizeof(*sc->proxy));
- modssl_ctx_init(mctx, p);
+ modssl_ctx_init(mctx, p, vh);
mctx->pkp = apr_palloc(p, sizeof(*mctx->pkp));
@@ -179,14 +178,13 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
mctx->pkp->ca_certs = NULL;
}
-static void modssl_ctx_init_server(SSLSrvConfigRec *sc,
- apr_pool_t *p)
+static void modssl_ctx_init_server(SSLSrvConfigRec *sc, apr_pool_t *p, int vh)
{
modssl_ctx_t *mctx;
mctx = sc->server = apr_palloc(p, sizeof(*sc->server));
- modssl_ctx_init(mctx, p);
+ modssl_ctx_init(mctx, p, vh);
mctx->pks = apr_pcalloc(p, sizeof(*mctx->pks));
@@ -198,7 +196,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
#endif
}
-static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p)
+static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p, int vh)
{
SSLSrvConfigRec *sc = apr_palloc(p, sizeof(*sc));
@@ -224,9 +222,9 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
#endif
sc->session_tickets = UNSET;
- modssl_ctx_init_proxy(sc, p);
+ modssl_ctx_init_proxy(sc, p, vh);
- modssl_ctx_init_server(sc, p);
+ modssl_ctx_init_server(sc, p, vh);
return sc;
}
@@ -236,7 +234,7 @@ BOOL ssl_config_global_isfixed(SSLModConfigRec *mc
*/
void *ssl_config_server_create(apr_pool_t *p, server_rec *s)
{
- SSLSrvConfigRec *sc = ssl_config_server_new(p);
+ SSLSrvConfigRec *sc = ssl_config_server_new(p, s->is_virtual);
sc->mc = ssl_config_global_create(s);
@@ -254,7 +252,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
modssl_ctx_t *add,
modssl_ctx_t *mrg)
{
- cfgMerge(protocol, SSL_PROTOCOL_ALL);
+ cfgMerge(protocol, SSL_PROTOCOL_NONE);
cfgMerge(pphrase_dialog_type, SSL_PPTYPE_UNSET);
cfgMergeString(pphrase_dialog_path);
@@ -337,7 +335,7 @@ void *ssl_config_server_merge(apr_pool_t *p, void
{
SSLSrvConfigRec *base = (SSLSrvConfigRec *)basev;
SSLSrvConfigRec *add = (SSLSrvConfigRec *)addv;
- SSLSrvConfigRec *mrg = ssl_config_server_new(p);
+ SSLSrvConfigRec *mrg = ssl_config_server_new(p, 1);
cfgMerge(mc, NULL);
cfgMerge(enabled, SSL_ENABLED_UNSET);
--
