On Wed, Jul 3, 2013 at 7:04 PM, Eric Covener <cove...@gmail.com> wrote:
> > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1497466&r1=1497465&r2=1497466&view=diff > > > ============================================================================== > > --- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original) > > +++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Thu Jun 27 > 17:24:58 2013 > > @@ -1063,9 +1063,39 @@ static int ssl_io_filter_connect(ssl_fil > > > > server = sslconn->server; > > if (sslconn->is_proxy) { > > - const char *hostname_note; > > - > > +#ifndef OPENSSL_NO_TLSEXT > > + apr_ipsubnet_t *ip; > > +#endif > > + const char *hostname_note = apr_table_get(c->notes, > > + > "proxy-request-hostname"); > > sc = mySrvConfig(server); > > + > > +#ifndef OPENSSL_NO_TLSEXT > > + /* > > + * Enable SNI for backend requests. Make sure we don't do it for > > + * pure SSLv2 or SSLv3 connections, and also prevent IP > addresses > > + * from being included in the SNI extension. (OpenSSL would > simply > > + * pass them on, but RFC 6066 is quite clear on this: "Literal > > + * IPv4 and IPv6 addresses are not permitted".) > > + */ > > + if (hostname_note && > > + sc->proxy->protocol != SSL_PROTOCOL_SSLV2 && > > > A user on IRC reported that the SSL_PROTOCOL_SSLV2 here caused a build > break on his debian system. Does it need to be wrapped in a > OPENSSL_NO_SSL2 macro? > Eric, I've just filed a bug, hope it helps: https://issues.apache.org/bugzilla/show_bug.cgi?id=55194 Note that I couldn't apply the correct 2.2.25 version as it's still not present in bugzilla. Thanks, corrado