Index: server/common/patches/httpd-2.2.8-sni.patch =================================================================== --- server/common/patches/httpd-2.2.8-sni.patch (revision 815) +++ (revision ) @@ -1,342 +1,0 @@ -httpd-2.2.8-sni.patch - server name indication support for Apache 2.2 -(see RFC 4366, "Transport Layer Security (TLS) Extensions") - -based on a patch from the EdelKey project -(http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) - -Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later -to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions -must be configured explicitly for TLS extension support at compile time -("./config enable-tlsext"). - -Index: httpd-2.2.x/modules/ssl/ssl_private.h -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_private.h (revision 627519) -+++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) -@@ -35,6 +35,7 @@ - #include "http_connection.h" - #include "http_request.h" - #include "http_protocol.h" -+#include "http_vhost.h" - #include "util_script.h" - #include "util_filter.h" - #include "util_ebcdic.h" -@@ -555,6 +556,9 @@ - SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); - void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); - void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); -+#ifndef OPENSSL_NO_TLSEXT -+int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); -+#endif - - /** Session Cache Support */ - void ssl_scache_init(server_rec *, apr_pool_t *); -Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 627519) -+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) -@@ -355,6 +355,33 @@ - } - } - -+#ifndef OPENSSL_NO_TLSEXT -+static void ssl_init_ctx_tls_extensions(server_rec *s, -+ apr_pool_t *p, -+ apr_pool_t *ptemp, -+ modssl_ctx_t *mctx) -+{ -+ /* -+ * Configure TLS extensions support -+ */ -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "Configuring TLS extension handling"); -+ -+ /* -+ * Server name indication (SNI) -+ */ -+ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx, -+ ssl_callback_ServerNameIndication) || -+ !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "Unable to initialize TLS servername extension " -+ "callback (incompatible OpenSSL version?)"); -+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); -+ ssl_die(); -+ } -+} -+#endif -+ - static void ssl_init_ctx_protocol(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -@@ -687,6 +714,9 @@ - if (mctx->pks) { - /* XXX: proxy support? */ - ssl_init_ctx_cert_chain(s, p, ptemp, mctx); -+#ifndef OPENSSL_NO_TLSEXT -+ ssl_init_ctx_tls_extensions(s, p, ptemp, mctx); -+#endif - } - } - -@@ -1038,7 +1068,11 @@ - if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, - base_server, -+#ifdef OPENSSL_NO_TLSEXT - "Init: SSL server IP/port conflict: " -+#else -+ "Init: SSL server IP/port overlap: " -+#endif - "%s (%s:%d) vs. %s (%s:%d)", - ssl_util_vhostid(p, s), - (s->defn_name ? s->defn_name : "unknown"), -@@ -1055,8 +1089,14 @@ - - if (conflict) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, -+#ifdef OPENSSL_NO_TLSEXT - "Init: You should not use name-based " - "virtual hosts in conjunction with SSL!!"); -+#else -+ "Init: Name-based SSL virtual hosts only " -+ "work for clients with TLS server name indication " -+ "support (RFC 4366)"); -+#endif - } - } - -Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 627519) -+++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy) -@@ -320,6 +320,12 @@ - else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { - result = ssl_var_lookup_ssl_compress_meth(ssl); - } -+#ifndef OPENSSL_NO_TLSEXT -+ else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { -+ result = apr_pstrdup(p, SSL_get_servername(ssl, -+ TLSEXT_NAMETYPE_host_name)); -+ } -+#endif - return result; - } - -Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 627519) -+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) -@@ -31,6 +31,9 @@ - #include "ssl_private.h" - - static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); -+#ifndef OPENSSL_NO_TLSEXT -+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); -+#endif - - /* - * Post Read Request Handler -@@ -39,6 +42,9 @@ - { - SSLConnRec *sslconn = myConnConfig(r->connection); - SSL *ssl; -+#ifndef OPENSSL_NO_TLSEXT -+ const char *servername; -+#endif - - if (!sslconn) { - return DECLINED; -@@ -87,6 +93,14 @@ - if (!ssl) { - return DECLINED; - } -+#ifndef OPENSSL_NO_TLSEXT -+ if (!r->hostname && -+ (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { -+ /* Use the SNI extension as the hostname if no Host: header was sent */ -+ r->hostname = apr_pstrdup(r->pool, servername); -+ ap_update_vhost_from_headers(r); -+ } -+#endif - SSL_set_app_data2(ssl, r); - - /* -@@ -997,6 +1011,9 @@ - SSLDirConfigRec *dc = myDirConfig(r); - apr_table_t *env = r->subprocess_env; - char *var, *val = ""; -+#ifndef OPENSSL_NO_TLSEXT -+ const char *servername; -+#endif - STACK_OF(X509) *peer_certs; - SSL *ssl; - int i; -@@ -1018,6 +1035,13 @@ - /* the always present HTTPS (=HTTP over SSL) flag! */ - apr_table_setn(env, "HTTPS", "on"); - -+#ifndef OPENSSL_NO_TLSEXT -+ /* add content of SNI TLS extension (if supplied with ClientHello) */ -+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { -+ apr_table_set(env, "SSL_TLS_SNI", servername); -+ } -+#endif -+ - /* standard SSL environment variables */ - if (dc->nOptions & SSL_OPT_STDENVVARS) { - for (i = 0; ssl_hook_Fixup_vars[i]; i++) { -@@ -1810,3 +1834,136 @@ - } - } - -+#ifndef OPENSSL_NO_TLSEXT -+/* -+ * This callback function is executed when OpenSSL encounters an extended -+ * client hello with a server name indication extension ("SNI", cf. RFC 4366). -+ */ -+int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) -+{ -+ const char *servername = -+ SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); -+ -+ if (servername) { -+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -+ if (c) { -+ if (ap_vhost_iterate_given_conn(c, ssl_find_vhost, -+ (void *)servername)) { -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, -+ "SSL virtual host for servername %s found", -+ servername); -+ return SSL_TLSEXT_ERR_OK; -+ } -+ else { -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, -+ "No matching SSL virtual host for servername " -+ "%s found (using default/first virtual host)", -+ servername); -+ return SSL_TLSEXT_ERR_ALERT_WARNING; -+ } -+ } -+ } -+ -+ return SSL_TLSEXT_ERR_NOACK; -+} -+ -+/* -+ * Find a (name-based) SSL virtual host where either the ServerName -+ * or one of the ServerAliases matches the supplied name (to be used -+ * with ap_vhost_iterate_given_conn()) -+ */ -+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) -+{ -+ SSLSrvConfigRec *sc; -+ SSL *ssl; -+ BOOL found = FALSE; -+ apr_array_header_t *names; -+ int i; -+ -+ /* check ServerName */ -+ if (!strcasecmp(servername, s->server_hostname)) { -+ found = TRUE; -+ } -+ -+ /* -+ * if not matched yet, check ServerAlias entries -+ * (adapted from vhost.c:matches_aliases()) -+ */ -+ if (!found) { -+ names = s->names; -+ if (names) { -+ char **name = (char **)names->elts; -+ for (i = 0; i < names->nelts; ++i) { -+ if (!name[i]) -+ continue; -+ if (!strcasecmp(servername, name[i])) { -+ found = TRUE; -+ break; -+ } -+ } -+ } -+ } -+ -+ /* if still no match, check ServerAlias entries with wildcards */ -+ if (!found) { -+ names = s->wild_names; -+ if (names) { -+ char **name = (char **)names->elts; -+ for (i = 0; i < names->nelts; ++i) { -+ if (!name[i]) -+ continue; -+ if (!ap_strcasecmp_match(servername, name[i])) { -+ found = TRUE; -+ break; -+ } -+ } -+ } -+ } -+ -+ /* set SSL_CTX (if matched) */ -+ if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) && -+ (sc = mySrvConfig(s))) { -+ SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx); -+ /* -+ * SSL_set_SSL_CTX() only deals with the server cert, -+ * so we need to duplicate a few additional settings -+ * from the ctx by hand -+ */ -+ SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx)); -+ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || -+ (SSL_num_renegotiations(ssl) == 0)) { -+ /* -+ * Only initialize the verification settings from the ctx -+ * if they are not yet set, or if we're called when a new -+ * SSL connection is set up (num_renegotiations == 0). -+ * Otherwise, we would possibly reset a per-directory -+ * configuration which was put into effect by ssl_hook_Access. -+ */ -+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), -+ SSL_CTX_get_verify_callback(ssl->ctx)); -+ } -+ -+ /* -+ * We also need to make sure that the correct mctx is -+ * assigned to the connection - the CRL callback e.g. -+ * makes use of it for retrieving its store (mctx->crl). -+ * Since logging in callbacks uses c->base_server in many -+ * cases, it also ensures that these messages are routed -+ * to the proper log. And finally, there is one special -+ * filter callback, which is set very early depending on the -+ * base_server's log level. If this is not the first vhost -+ * we're now selecting (and the first vhost doesn't use -+ * APLOG_DEBUG), then we need to set that callback here. -+ */ -+ c->base_server = s; -+ if (c->base_server->loglevel >= APLOG_DEBUG) { -+ BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); -+ BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); -+ } -+ -+ return 1; -+ } -+ -+ return 0; -+} -+#endif -Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 627519) -+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy) -@@ -264,6 +264,12 @@ - #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP - #endif - -+#ifndef OPENSSL_NO_TLSEXT -+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME -+#define OPENSSL_NO_TLSEXT -+#endif -+#endif -+ - #endif /* SSL_TOOLKIT_COMPAT_H */ - - /** @} */ Index: server/common/patches/httpd-2.2.x-broken-ldap-caching.patch =================================================================== --- server/common/patches/httpd-2.2.x-broken-ldap-caching.patch (revision 815) +++ (revision ) @@ -1,36 +1,0 @@ -Index: httpd-2.2.x/modules/ldap/util_ldap.c -=================================================================== ---- httpd-2.2.x/modules/ldap/util_ldap.c (revision 634720) -+++ httpd-2.2.x/modules/ldap/util_ldap.c (working copy) -@@ -925,12 +925,10 @@ - /* ...and entry is valid */ - *binddn = apr_pstrdup(r->pool, search_nodep->dn); - if (attrs) { -- int i = 0, k = 0; -- while (attrs[k++]); -- *retvals = apr_pcalloc(r->pool, sizeof(char *) * k); -- while (search_nodep->vals[i]) { -+ int i; -+ *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals); -+ for (i = 0; i < search_nodep->numvals; i++) { - (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]); -- i++; - } - } - LDAP_CACHE_UNLOCK(); -@@ -1174,12 +1172,10 @@ - /* ...and entry is valid */ - *binddn = apr_pstrdup(r->pool, search_nodep->dn); - if (attrs) { -- int i = 0, k = 0; -- while (attrs[k++]); -- *retvals = apr_pcalloc(r->pool, sizeof(char *) * k); -- while (search_nodep->vals[i]) { -+ int i; -+ *retvals = apr_pcalloc(r->pool, sizeof(char *) * search_nodep->numvals); -+ for (i = 0; i < search_nodep->numvals; i++) { - (*retvals)[i] = apr_pstrdup(r->pool, search_nodep->vals[i]); -- i++; - } - } - LDAP_CACHE_UNLOCK(); Index: server/common/patches/httpd-2.2.x-sni.patch =================================================================== --- server/common/patches/httpd-2.2.x-sni.patch (revision 816) +++ server/common/patches/httpd-2.2.x-sni.patch (revision 816) @@ -0,0 +1,513 @@ +# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2 +# (see RFC 4366, "Transport Layer Security (TLS) Extensions") + +# based on a patch from the EdelKey project +# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) + +# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later +# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions +# must be configured explicitly for TLS extension support at compile time +# ("./config enable-tlsext"). + +Index: httpd-2.2.x/modules/ssl/ssl_private.h +=================================================================== +--- httpd-2.2.x/modules/ssl/ssl_private.h (revision 663014) ++++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) +@@ -35,6 +35,7 @@ + #include "http_connection.h" + #include "http_request.h" + #include "http_protocol.h" ++#include "http_vhost.h" + #include "util_script.h" + #include "util_filter.h" + #include "util_ebcdic.h" +@@ -555,6 +556,9 @@ int ssl_callback_NewSessionCach + SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); + void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); + void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); ++#ifndef OPENSSL_NO_TLSEXT ++int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); ++#endif + + /** Session Cache Support */ + void ssl_scache_init(server_rec *, apr_pool_t *); +Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c +=================================================================== +--- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 663014) ++++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) +@@ -355,6 +355,33 @@ static void ssl_init_server_check(server + } + } + ++#ifndef OPENSSL_NO_TLSEXT ++static void ssl_init_ctx_tls_extensions(server_rec *s, ++ apr_pool_t *p, ++ apr_pool_t *ptemp, ++ modssl_ctx_t *mctx) ++{ ++ /* ++ * Configure TLS extensions support ++ */ ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "Configuring TLS extension handling"); ++ ++ /* ++ * Server name indication (SNI) ++ */ ++ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx, ++ ssl_callback_ServerNameIndication) || ++ !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Unable to initialize TLS servername extension " ++ "callback (incompatible OpenSSL version?)"); ++ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); ++ ssl_die(); ++ } ++} ++#endif ++ + static void ssl_init_ctx_protocol(server_rec *s, + apr_pool_t *p, + apr_pool_t *ptemp, +@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s, + if (mctx->pks) { + /* XXX: proxy support? */ + ssl_init_ctx_cert_chain(s, p, ptemp, mctx); ++#ifndef OPENSSL_NO_TLSEXT ++ ssl_init_ctx_tls_extensions(s, p, ptemp, mctx); ++#endif + } + } + +@@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b + klen = strlen(key); + + if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { +- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ++ ap_log_error(APLOG_MARK, ++#ifdef OPENSSL_NO_TLSEXT ++ APLOG_WARNING, ++#else ++ APLOG_DEBUG, ++#endif ++ 0, + base_server, ++#ifdef OPENSSL_NO_TLSEXT + "Init: SSL server IP/port conflict: " ++#else ++ "Init: SSL server IP/port overlap: " ++#endif + "%s (%s:%d) vs. %s (%s:%d)", + ssl_util_vhostid(p, s), + (s->defn_name ? s->defn_name : "unknown"), +@@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b + + if (conflict) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, ++#ifdef OPENSSL_NO_TLSEXT + "Init: You should not use name-based " + "virtual hosts in conjunction with SSL!!"); ++#else ++ "Init: Name-based SSL virtual hosts only " ++ "work for clients with TLS server name indication " ++ "support (RFC 4366)"); ++#endif + } + } + +Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c +=================================================================== +--- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 663014) ++++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy) +@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool + else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { + result = ssl_var_lookup_ssl_compress_meth(ssl); + } ++#ifndef OPENSSL_NO_TLSEXT ++ else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { ++ result = apr_pstrdup(p, SSL_get_servername(ssl, ++ TLSEXT_NAMETYPE_host_name)); ++ } ++#endif + return result; + } + +Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c +=================================================================== +--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014) ++++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) +@@ -31,6 +31,9 @@ + #include "ssl_private.h" + + static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); ++#ifndef OPENSSL_NO_TLSEXT ++static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); ++#endif + + /* + * Post Read Request Handler +@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r) + { + SSLConnRec *sslconn = myConnConfig(r->connection); + SSL *ssl; ++#ifndef OPENSSL_NO_TLSEXT ++ const char *servername; ++#endif + + if (!sslconn) { + return DECLINED; +@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r) + if (!ssl) { + return DECLINED; + } ++#ifndef OPENSSL_NO_TLSEXT ++ if (!r->hostname && ++ (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { ++ /* Use the SNI extension as the hostname if no Host: header was sent */ ++ r->hostname = apr_pstrdup(r->pool, servername); ++ ap_update_vhost_from_headers(r); ++ } ++#endif + SSL_set_app_data2(ssl, r); + + /* +@@ -252,7 +266,7 @@ int ssl_hook_Access(request_rec *r) + * has to enable this via ``SSLOptions +OptRenegotiate''. So we do no + * implicit optimizations. + */ +- if (dc->szCipherSuite) { ++ if (dc->szCipherSuite || (r->server != r->connection->base_server)) { + /* remember old state */ + + if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) { +@@ -267,7 +281,10 @@ int ssl_hook_Access(request_rec *r) + } + + /* configure new state */ +- if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) { ++ if ((dc->szCipherSuite && ++ !modssl_set_cipher_list(ssl, dc->szCipherSuite)) || ++ (sc->server->auth.cipher_suite && ++ !modssl_set_cipher_list(ssl, sc->server->auth.cipher_suite))) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, + r->server, + "Unable to reconfigure (per-directory) " +@@ -334,8 +351,13 @@ int ssl_hook_Access(request_rec *r) + sk_SSL_CIPHER_free(cipher_list_old); + } + +- /* tracing */ + if (renegotiate) { ++#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE ++ if (sc->cipher_server_pref == TRUE) { ++ SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); ++ } ++#endif ++ /* tracing */ + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "Reconfigured cipher suite will force renegotiation"); + } +@@ -353,14 +375,16 @@ int ssl_hook_Access(request_rec *r) + * currently active/remembered verify depth (because this means more + * restriction on the certificate chain). + */ +- if (dc->nVerifyDepth != UNSET) { ++ if ((dc->nVerifyDepth != UNSET) || ++ (sc->server->auth.verify_depth != UNSET)) { + /* XXX: doesnt look like sslconn->verify_depth is actually used */ + if (!(n = sslconn->verify_depth)) { + sslconn->verify_depth = n = sc->server->auth.verify_depth; + } + + /* determine whether a renegotiation has to be forced */ +- if (dc->nVerifyDepth < n) { ++ if ((dc->nVerifyDepth < n) || ++ (sc->server->auth.verify_depth < n)) { + renegotiate = TRUE; + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, + "Reduced client verification depth will force " +@@ -382,18 +406,22 @@ int ssl_hook_Access(request_rec *r) + * verification but at least skip the I/O-intensive renegotation + * handshake. + */ +- if (dc->nVerifyClient != SSL_CVERIFY_UNSET) { ++ if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) || ++ (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { + /* remember old state */ + verify_old = SSL_get_verify_mode(ssl); + /* configure new state */ + verify = SSL_VERIFY_NONE; + +- if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) { ++ if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) || ++ (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) { + verify |= SSL_VERIFY_PEER_STRICT; + } + + if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) || +- (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA)) ++ (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) || ++ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) || ++ (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA)) + { + verify |= SSL_VERIFY_PEER; + } +@@ -491,6 +519,40 @@ int ssl_hook_Access(request_rec *r) + "Changed client verification locations will force " + "renegotiation"); + } ++#else ++#ifndef OPENSSL_NO_TLSEXT ++#define MODSSL_CFG_CA_NE(f, sc1, sc2) \ ++ (sc1->server->auth.f && \ ++ (!sc2->server->auth.f || \ ++ sc2->server->auth.f && strNE(sc1->server->auth.f, sc2->server->auth.f))) ++ ++ /* If we're handling a request for a vhost other than the default one, ++ * then we need to make sure that client authentication is properly ++ * enforced. For clients supplying an SNI extension, the peer certificate ++ * verification has happened in the handshake already (and r->server ++ * has been set to r->connection->base_server). For non-SNI requests, ++ * an additional check is needed here. If client authentication is ++ * configured as mandatory, then we can only proceed if the CA list ++ * doesn't have to be changed (SSL_set_cert_store() would be required ++ * for this). ++ */ ++ if ((r->server != r->connection->base_server) && ++ (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) && ++ renegotiate && ++ !(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { ++ SSLSrvConfigRec *bssc = mySrvConfig(r->connection->base_server); ++ ++ if (MODSSL_CFG_CA_NE(ca_cert_file, sc, bssc) || ++ MODSSL_CFG_CA_NE(ca_cert_path, sc, bssc)) { ++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, ++ "Non-default virtual host with SSLVerify set to 'require' " ++ "and VirtualHost-specific CA certificate list is only " ++ "supported for clients with TLS server name indication " ++ "(SNI) support"); ++ return HTTP_FORBIDDEN; ++ } ++ } ++#endif /* OPENSSL_NO_TLSEXT */ + #endif /* HAVE_SSL_SET_CERT_STORE */ + + /* If a renegotiation is now required for this location, and the +@@ -666,8 +728,10 @@ int ssl_hook_Access(request_rec *r) + /* + * Finally check for acceptable renegotiation results + */ +- if (dc->nVerifyClient != SSL_CVERIFY_NONE) { +- BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE); ++ if ((dc->nVerifyClient != SSL_CVERIFY_NONE) || ++ (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) { ++ BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) || ++ (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)); + + if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, +@@ -997,6 +1061,9 @@ int ssl_hook_Fixup(request_rec *r) + SSLDirConfigRec *dc = myDirConfig(r); + apr_table_t *env = r->subprocess_env; + char *var, *val = ""; ++#ifndef OPENSSL_NO_TLSEXT ++ const char *servername; ++#endif + STACK_OF(X509) *peer_certs; + SSL *ssl; + int i; +@@ -1018,6 +1085,13 @@ int ssl_hook_Fixup(request_rec *r) + /* the always present HTTPS (=HTTP over SSL) flag! */ + apr_table_setn(env, "HTTPS", "on"); + ++#ifndef OPENSSL_NO_TLSEXT ++ /* add content of SNI TLS extension (if supplied with ClientHello) */ ++ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { ++ apr_table_set(env, "SSL_TLS_SNI", servername); ++ } ++#endif ++ + /* standard SSL environment variables */ + if (dc->nOptions & SSL_OPT_STDENVVARS) { + for (i = 0; ssl_hook_Fixup_vars[i]; i++) { +@@ -1166,8 +1240,8 @@ int ssl_callback_SSLVerify(int ok, X509_ + SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, + SSL_get_ex_data_X509_STORE_CTX_idx()); + conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl); +- server_rec *s = conn->base_server; + request_rec *r = (request_rec *)SSL_get_app_data2(ssl); ++ server_rec *s = r ? r->server : conn->base_server; + + SSLSrvConfigRec *sc = mySrvConfig(s); + SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL; +@@ -1290,7 +1364,10 @@ int ssl_callback_SSLVerify(int ok, X509_ + + int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c) + { +- server_rec *s = c->base_server; ++ SSL *ssl = X509_STORE_CTX_get_ex_data(ctx, ++ SSL_get_ex_data_X509_STORE_CTX_idx()); ++ request_rec *r = (request_rec *)SSL_get_app_data2(ssl); ++ server_rec *s = r ? r->server : c->base_server; + SSLSrvConfigRec *sc = mySrvConfig(s); + SSLConnRec *sslconn = myConnConfig(c); + modssl_ctx_t *mctx = myCtxConfig(sslconn, sc); +@@ -1810,3 +1887,141 @@ void ssl_callback_LogTracingState(MODSSL + } + } + ++#ifndef OPENSSL_NO_TLSEXT ++/* ++ * This callback function is executed when OpenSSL encounters an extended ++ * client hello with a server name indication extension ("SNI", cf. RFC 4366). ++ */ ++int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) ++{ ++ const char *servername = ++ SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); ++ ++ if (servername) { ++ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); ++ if (c) { ++ if (ap_vhost_iterate_given_conn(c, ssl_find_vhost, ++ (void *)servername)) { ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, ++ "SSL virtual host for servername %s found", ++ servername); ++ return SSL_TLSEXT_ERR_OK; ++ } ++ else { ++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, ++ "No matching SSL virtual host for servername " ++ "%s found (using default/first virtual host)", ++ servername); ++ return SSL_TLSEXT_ERR_ALERT_WARNING; ++ } ++ } ++ } ++ ++ return SSL_TLSEXT_ERR_NOACK; ++} ++ ++/* ++ * Find a (name-based) SSL virtual host where either the ServerName ++ * or one of the ServerAliases matches the supplied name (to be used ++ * with ap_vhost_iterate_given_conn()) ++ */ ++static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) ++{ ++ SSLSrvConfigRec *sc; ++ SSL *ssl; ++ BOOL found = FALSE; ++ apr_array_header_t *names; ++ int i; ++ ++ /* check ServerName */ ++ if (!strcasecmp(servername, s->server_hostname)) { ++ found = TRUE; ++ } ++ ++ /* ++ * if not matched yet, check ServerAlias entries ++ * (adapted from vhost.c:matches_aliases()) ++ */ ++ if (!found) { ++ names = s->names; ++ if (names) { ++ char **name = (char **)names->elts; ++ for (i = 0; i < names->nelts; ++i) { ++ if (!name[i]) ++ continue; ++ if (!strcasecmp(servername, name[i])) { ++ found = TRUE; ++ break; ++ } ++ } ++ } ++ } ++ ++ /* if still no match, check ServerAlias entries with wildcards */ ++ if (!found) { ++ names = s->wild_names; ++ if (names) { ++ char **name = (char **)names->elts; ++ for (i = 0; i < names->nelts; ++i) { ++ if (!name[i]) ++ continue; ++ if (!ap_strcasecmp_match(servername, name[i])) { ++ found = TRUE; ++ break; ++ } ++ } ++ } ++ } ++ ++ /* set SSL_CTX (if matched) */ ++ if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) && ++ (sc = mySrvConfig(s))) { ++ SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx); ++ /* ++ * SSL_set_SSL_CTX() only deals with the server cert, ++ * so we need to duplicate a few additional settings ++ * from the ctx by hand ++ */ ++ SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx)); ++ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || ++ (SSL_num_renegotiations(ssl) == 0)) { ++ /* ++ * Only initialize the verification settings from the ctx ++ * if they are not yet set, or if we're called when a new ++ * SSL connection is set up (num_renegotiations == 0). ++ * Otherwise, we would possibly reset a per-directory ++ * configuration which was put into effect by ssl_hook_Access. ++ */ ++ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), ++ SSL_CTX_get_verify_callback(ssl->ctx)); ++ } ++ ++ /* ++ * We also need to make sure that the correct mctx ++ * (accessed through the c->base_server->module_config vector) ++ * is assigned to the connection - the CRL callback e.g. ++ * makes use of it for retrieving its store (mctx->crl). ++ * Since logging in callbacks uses c->base_server in many ++ * cases, it also ensures that these messages are routed ++ * to the proper log. ++ */ ++ c->base_server = s; ++ ++ /* ++ * There is one special filter callback, which is set ++ * very early depending on the base_server's log level. ++ * If this is not the first vhost we're now selecting ++ * (and the first vhost doesn't use APLOG_DEBUG), then ++ * we need to set that callback here. ++ */ ++ if (c->base_server->loglevel >= APLOG_DEBUG) { ++ BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); ++ BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); ++ } ++ ++ return 1; ++ } ++ ++ return 0; ++} ++#endif +Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h +=================================================================== +--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 663014) ++++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy) +@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char * + #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP + #endif + ++#ifndef OPENSSL_NO_TLSEXT ++#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME ++#define OPENSSL_NO_TLSEXT ++#endif ++#endif ++ + #endif /* SSL_TOOLKIT_COMPAT_H */ + + /** @} */ Index: server/fedora/specs/httpd.spec.patch =================================================================== --- server/fedora/specs/httpd.spec.patch (revision 815) +++ server/fedora/specs/httpd.spec.patch (revision 816) @@ -6,5 +6,5 @@ +Patch1000: httpd-suexec-scripts.patch -+Patch1001: httpd-2.2.8-sni.patch ++Patch1001: httpd-2.2.x-sni.patch +Patch1003: httpd-2.2.x-mod_status-security.patch +