/[Apache-SVN]
ViewVC logotype

Revision 1873907

Jump to revision: Previous Next
Author: jim
Date: Tue Feb 11 13:21:48 2020 UTC (4 years, 2 months ago)
Changed paths: 8
Log Message: 
Merge r1868645, r1868743, r1868929, r1868934, r1869077 from trunk:

mod_ssl: negotiate the TLS protocol version per name based vhost configuration.

By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at
the earliest connection stage, we can switch the SSL_CTX of the SSL connection
early enough for OpenSSL to take into account the protocol configuration of the
vhost.

In other words:
    SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)
followed by:
    SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))
works as expected at this stage (while the same from the SNI callback is
ignored by/due to OpenSSL's state machine).

Extracting the SNI (to select the relevant vhost) in the ClientHello callback
is not as easy as calling SSL_get_servername() though, we have to work with
the raw TLS extensions helpers provided by OpenSSL. I stole this code from a
test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in
test/handshake_helper.c).

We can then call init_vhost() as with the SNI callback (in use only for OpenSSL
versions earlier than 1.1.1 now), and pass it the extracted SNI.


mod_ssl: follow up to r1868645.

Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which
depends on its return value (OK/NOACK), mainly on session resumption, for
SSL_get_servername() to consider or ignore the SNI (returning NULL thus
making SSLStrictSNIVHostCheck fail for possibly legitimate cases).

This means that init_vhost() should accurately return whether the SNI exists
in the configured vhosts, even when it's called multiple times (e.g. first
from ClientHello callback and then from SNI callback), so save that state in
sslconn->vhost_found and reuse it.


mod_ssl: follow up to r1868645.

Keep the base server's SSLProtocol if none is configured on the vhost
selected by Hello/SNI callback.


mod_ssl: follow up to r1868645 and r1868929.

Merge ->protocol_set.


mod_ssl: follow up to r1868645.

CHANGES entry and docs' note.

Submitted by: ylavic
Reviewed by: ylavic, minfrin, jim

Changed paths

Path Details
Directoryhttpd/httpd/branches/2.4.x/ modified , props changed
Directoryhttpd/httpd/branches/2.4.x/CHANGES modified , text changed
Directoryhttpd/httpd/branches/2.4.x/STATUS modified , text changed
Directoryhttpd/httpd/branches/2.4.x/docs/manual/mod/mod_ssl.xml modified , text changed
Directoryhttpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_config.c modified , text changed
Directoryhttpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_init.c modified , text changed
Directoryhttpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c modified , text changed
Directoryhttpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h modified , text changed
infrastructure at apache.org
 ViewVC Help
Powered by ViewVC 1.1.26