Hanno Böck commited on 2008-12-24 11:15:33
Zeige 3 geänderte Dateien mit 497 Einfügungen und 0 Löschungen.
... | ... |
@@ -1,7 +1,11 @@ |
1 | 1 |
AUX apache-noip.diff 417 RMD160 8e16f7ff130cea52449a25aafbbdeb78919d9eae SHA1 7c19a0236e4eff23bee6e69ee6708a24529a974c SHA256 c9ed84fec20e69f711600261a395a3d4b3ae2685318f6354c4d2ebd01c0ec4cc |
2 |
+AUX httpd-2.2.x-sni.diff 13866 RMD160 ae21ae0ebc2c0d263b5290d67aeefd56b145ed73 SHA1 b8b8dcc56e6a7bb5c07d95fa46683db4170dd7ba SHA256 092aaa998f2b15e6b89b0785c237ce3bb40d4bf188509fcf58470ce5731380e9 |
|
3 |
+DIST gentoo-apache-2.2.10-20081025.tar.bz2 60296 RMD160 bc6d9e05a5924cf104e0a07b18ab6c9da526a1dc SHA1 f3ea7bda13b57b9f622890b2d9288cb096472a96 SHA256 e7704ac9a645bb722d8063735c7de17a4041d76cc72244fc928a0a5ad1ee1ccd |
|
2 | 4 |
DIST gentoo-apache-2.2.8-r3-20080601.tar.bz2 60383 RMD160 f7d662ac9bce6bcc0e0506503be166fdb7a95eba SHA1 1d87d6ed727a8b7074446a472eb46d2b1a9eb532 SHA256 bc1bdc87aab4cfc377e2016e69f715495097bf37c47112ac6d52929adf0fbc40 |
3 | 5 |
DIST gentoo-apache-2.2.9-20080615.tar.bz2 60183 RMD160 924b6268324aa679b5ff624ece159dad323028aa SHA1 6c8e053a33a561df2417e718803b65f7ac55b640 SHA256 c3bb95e339d7bdfdcd3bd71927287843df0d34ad2740ddc7913cbb0200fc8072 |
6 |
+DIST httpd-2.2.10.tar.bz2 5068069 RMD160 30f240222a775efa14b104a2b8df1e1dc65f4b8a SHA1 3a71f4904e359603c3338b07a1178ddfacfaa8c6 SHA256 681d5787288e4e527877f415acce198be96ce7de0dc6e354646b1df4aae21383 |
|
4 | 7 |
DIST httpd-2.2.8.tar.bz2 4799055 RMD160 0736ea9617bafaa1c8cd34ce4fc1c7a659afea57 SHA1 5074904435d3d942ce2dc96c44b07294b8eaca77 SHA256 2ad8d0db1e478838ba88a0ddaf538c7150027d937b017739fdcb3fabb96ebd39 |
5 | 8 |
DIST httpd-2.2.9.tar.bz2 4943462 RMD160 8fd62ae78271aa0ded6ba2f5bfeea8c63b79060a SHA1 71715d81e7a5ace4499803df7369c78b85251083 SHA256 d76599fbcf8b3bcff2779f880fb10e4a2bc4af60f64232083c06863e40850b61 |
9 |
+EBUILD apache-2.2.10.ebuild 2846 RMD160 eb8e7cfab1c7d8b1645edc89ab06bf953154f0dc SHA1 2d803be5b1c587ac45cfd1c6a538b5054ca47520 SHA256 6132bb63d6e20a6dd67d1ca20caa558e6daf6f90f7c869f0e51eccfe6d140161 |
|
6 | 10 |
EBUILD apache-2.2.8-r3.ebuild 5288 RMD160 096b8185d25c485fd2bd13c09de9de8b5e11dcc8 SHA1 5aff0c23059bb10346c1b2988f496becc28f3a19 SHA256 2cb835468f5968a42b86924909b50cdbd9e0c4e24f0fe30e8c547d82fe49e97a |
7 | 11 |
EBUILD apache-2.2.9.ebuild 2812 RMD160 91b5a44a2db30a6d85e3302bfe9dc16bfcbaf045 SHA1 764bb36273e23745f2ba2cb6a36184096c650f12 SHA256 1302cc772b0404fd65eb9ea7a970558ecc8b0861049a07e122dc95387d45b6e4 |
... | ... |
@@ -0,0 +1,113 @@ |
1 |
+# Copyright 1999-2008 Gentoo Foundation |
|
2 |
+# Distributed under the terms of the GNU General Public License v2 |
|
3 |
+# $Header: /var/cvsroot/gentoo-x86/www-servers/apache/apache-2.2.10.ebuild,v 1.1 2008/10/25 14:42:49 hollow Exp $ |
|
4 |
+ |
|
5 |
+# latest gentoo apache files |
|
6 |
+GENTOO_PATCHSTAMP="20081025" |
|
7 |
+GENTOO_DEVELOPER="hollow" |
|
8 |
+ |
|
9 |
+# IUSE/USE_EXPAND magic |
|
10 |
+IUSE_MPMS_FORK="itk peruser prefork" |
|
11 |
+IUSE_MPMS_THREAD="event worker" |
|
12 |
+ |
|
13 |
+IUSE_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon |
|
14 |
+authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default |
|
15 |
+authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta |
|
16 |
+charset_lite dav dav_fs dav_lock dbd deflate dir disk_cache dumpio env expires |
|
17 |
+ext_filter file_cache filter headers ident imagemap include info log_config |
|
18 |
+log_forensic logio mem_cache mime mime_magic negotiation proxy proxy_ajp |
|
19 |
+proxy_balancer proxy_connect proxy_ftp proxy_http rewrite setenvif speling |
|
20 |
+status substitute unique_id userdir usertrack version vhost_alias" |
|
21 |
+ |
|
22 |
+# inter-module dependencies |
|
23 |
+# TODO: this may still be incomplete |
|
24 |
+MODULE_DEPENDS=" |
|
25 |
+ dav_fs:dav |
|
26 |
+ dav_lock:dav |
|
27 |
+ deflate:filter |
|
28 |
+ disk_cache:cache |
|
29 |
+ ext_filter:filter |
|
30 |
+ file_cache:cache |
|
31 |
+ log_forensic:log_config |
|
32 |
+ logio:log_config |
|
33 |
+ mem_cache:cache |
|
34 |
+ mime_magic:mime |
|
35 |
+ proxy_ajp:proxy |
|
36 |
+ proxy_balancer:proxy |
|
37 |
+ proxy_connect:proxy |
|
38 |
+ proxy_ftp:proxy |
|
39 |
+ proxy_http:proxy |
|
40 |
+ substitute:filter |
|
41 |
+" |
|
42 |
+ |
|
43 |
+# module<->define mappings |
|
44 |
+MODULE_DEFINES=" |
|
45 |
+ auth_digest:AUTH_DIGEST |
|
46 |
+ authnz_ldap:AUTHNZ_LDAP |
|
47 |
+ cache:CACHE |
|
48 |
+ dav:DAV |
|
49 |
+ dav_fs:DAV |
|
50 |
+ dav_lock:DAV |
|
51 |
+ disk_cache:CACHE |
|
52 |
+ file_cache:CACHE |
|
53 |
+ info:INFO |
|
54 |
+ ldap:LDAP |
|
55 |
+ mem_cache:CACHE |
|
56 |
+ proxy:PROXY |
|
57 |
+ proxy_ajp:PROXY |
|
58 |
+ proxy_balancer:PROXY |
|
59 |
+ proxy_connect:PROXY |
|
60 |
+ proxy_ftp:PROXY |
|
61 |
+ proxy_http:PROXY |
|
62 |
+ ssl:SSL |
|
63 |
+ status:STATUS |
|
64 |
+ suexec:SUEXEC |
|
65 |
+ userdir:USERDIR |
|
66 |
+" |
|
67 |
+ |
|
68 |
+# critical modules for the default config |
|
69 |
+MODULE_CRITICAL=" |
|
70 |
+ authz_host |
|
71 |
+ dir |
|
72 |
+ mime |
|
73 |
+" |
|
74 |
+ |
|
75 |
+inherit apache-2 |
|
76 |
+ |
|
77 |
+DESCRIPTION="The Apache Web Server." |
|
78 |
+HOMEPAGE="http://httpd.apache.org/" |
|
79 |
+ |
|
80 |
+# some helper scripts are Apache-1.1, thus both are here |
|
81 |
+LICENSE="Apache-2.0 Apache-1.1" |
|
82 |
+SLOT="2" |
|
83 |
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd" |
|
84 |
+IUSE="sni" |
|
85 |
+ |
|
86 |
+DEPEND="${DEPEND} |
|
87 |
+ apache2_modules_deflate? ( sys-libs/zlib )" |
|
88 |
+ |
|
89 |
+RDEPEND="${RDEPEND} |
|
90 |
+ apache2_modules_mime? ( app-misc/mime-types )" |
|
91 |
+ |
|
92 |
+src_unpack() { |
|
93 |
+ EPATCH_EXCLUDE="04_all_mod_ssl_tls_sni.patch" |
|
94 |
+ |
|
95 |
+ apache-2_src_unpack |
|
96 |
+ |
|
97 |
+ cd "${S}" |
|
98 |
+ epatch "${FILESDIR}/apache-noip.diff" || die |
|
99 |
+ epatch "${FILESDIR}/httpd-2.2.x-sni.diff" || die |
|
100 |
+ |
|
101 |
+} |
|
102 |
+ |
|
103 |
+pkg_preinst() { |
|
104 |
+ # note regarding IfDefine changes |
|
105 |
+ if has_version "<${CATEGORY}/${PN}-2.2.6-r1"; then |
|
106 |
+ elog |
|
107 |
+ elog "When upgrading from versions 2.2.6 or earlier, please be aware" |
|
108 |
+ elog "that the define for mod_authnz_ldap has changed from AUTH_LDAP" |
|
109 |
+ elog "to AUTHNZ_LDAP. Additionally mod_auth_digest needs to be enabled" |
|
110 |
+ elog "with AUTH_DIGEST now." |
|
111 |
+ elog |
|
112 |
+ fi |
|
113 |
+} |
... | ... |
@@ -0,0 +1,380 @@ |
1 |
+# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2 |
|
2 |
+# (see RFC 4366, "Transport Layer Security (TLS) Extensions") |
|
3 |
+ |
|
4 |
+# based on a patch from the EdelKey project |
|
5 |
+# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) |
|
6 |
+ |
|
7 |
+# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later |
|
8 |
+# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions |
|
9 |
+# must be configured explicitly for TLS extension support at compile time |
|
10 |
+# ("./config enable-tlsext"). |
|
11 |
+ |
|
12 |
+Index: httpd-2.2.x/modules/ssl/ssl_private.h |
|
13 |
+=================================================================== |
|
14 |
+--- httpd-2.2.x/modules/ssl/ssl_private.h (revision 663014) |
|
15 |
++++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) |
|
16 |
+@@ -35,6 +35,7 @@ |
|
17 |
+ #include "http_connection.h" |
|
18 |
+ #include "http_request.h" |
|
19 |
+ #include "http_protocol.h" |
|
20 |
++#include "http_vhost.h" |
|
21 |
+ #include "util_script.h" |
|
22 |
+ #include "util_filter.h" |
|
23 |
+ #include "util_ebcdic.h" |
|
24 |
+@@ -555,6 +556,9 @@ int ssl_callback_NewSessionCach |
|
25 |
+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); |
|
26 |
+ void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); |
|
27 |
+ void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); |
|
28 |
++#ifndef OPENSSL_NO_TLSEXT |
|
29 |
++int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); |
|
30 |
++#endif |
|
31 |
+ |
|
32 |
+ /** Session Cache Support */ |
|
33 |
+ void ssl_scache_init(server_rec *, apr_pool_t *); |
|
34 |
+Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c |
|
35 |
+=================================================================== |
|
36 |
+--- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 663014) |
|
37 |
++++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) |
|
38 |
+@@ -355,6 +355,33 @@ static void ssl_init_server_check(server |
|
39 |
+ } |
|
40 |
+ } |
|
41 |
+ |
|
42 |
++#ifndef OPENSSL_NO_TLSEXT |
|
43 |
++static void ssl_init_ctx_tls_extensions(server_rec *s, |
|
44 |
++ apr_pool_t *p, |
|
45 |
++ apr_pool_t *ptemp, |
|
46 |
++ modssl_ctx_t *mctx) |
|
47 |
++{ |
|
48 |
++ /* |
|
49 |
++ * Configure TLS extensions support |
|
50 |
++ */ |
|
51 |
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, |
|
52 |
++ "Configuring TLS extension handling"); |
|
53 |
++ |
|
54 |
++ /* |
|
55 |
++ * Server name indication (SNI) |
|
56 |
++ */ |
|
57 |
++ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx, |
|
58 |
++ ssl_callback_ServerNameIndication) || |
|
59 |
++ !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) { |
|
60 |
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, |
|
61 |
++ "Unable to initialize TLS servername extension " |
|
62 |
++ "callback (incompatible OpenSSL version?)"); |
|
63 |
++ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); |
|
64 |
++ ssl_die(); |
|
65 |
++ } |
|
66 |
++} |
|
67 |
++#endif |
|
68 |
++ |
|
69 |
+ static void ssl_init_ctx_protocol(server_rec *s, |
|
70 |
+ apr_pool_t *p, |
|
71 |
+ apr_pool_t *ptemp, |
|
72 |
+@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s, |
|
73 |
+ if (mctx->pks) { |
|
74 |
+ /* XXX: proxy support? */ |
|
75 |
+ ssl_init_ctx_cert_chain(s, p, ptemp, mctx); |
|
76 |
++#ifndef OPENSSL_NO_TLSEXT |
|
77 |
++ ssl_init_ctx_tls_extensions(s, p, ptemp, mctx); |
|
78 |
++#endif |
|
79 |
+ } |
|
80 |
+ } |
|
81 |
+ |
|
82 |
+@@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b |
|
83 |
+ klen = strlen(key); |
|
84 |
+ |
|
85 |
+ if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { |
|
86 |
+- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, |
|
87 |
++ ap_log_error(APLOG_MARK, |
|
88 |
++#ifdef OPENSSL_NO_TLSEXT |
|
89 |
++ APLOG_WARNING, |
|
90 |
++#else |
|
91 |
++ APLOG_DEBUG, |
|
92 |
++#endif |
|
93 |
++ 0, |
|
94 |
+ base_server, |
|
95 |
++#ifdef OPENSSL_NO_TLSEXT |
|
96 |
+ "Init: SSL server IP/port conflict: " |
|
97 |
++#else |
|
98 |
++ "Init: SSL server IP/port overlap: " |
|
99 |
++#endif |
|
100 |
+ "%s (%s:%d) vs. %s (%s:%d)", |
|
101 |
+ ssl_util_vhostid(p, s), |
|
102 |
+ (s->defn_name ? s->defn_name : "unknown"), |
|
103 |
+@@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b |
|
104 |
+ |
|
105 |
+ if (conflict) { |
|
106 |
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, |
|
107 |
++#ifdef OPENSSL_NO_TLSEXT |
|
108 |
+ "Init: You should not use name-based " |
|
109 |
+ "virtual hosts in conjunction with SSL!!"); |
|
110 |
++#else |
|
111 |
++ "Init: Name-based SSL virtual hosts only " |
|
112 |
++ "work for clients with TLS server name indication " |
|
113 |
++ "support (RFC 4366)"); |
|
114 |
++#endif |
|
115 |
+ } |
|
116 |
+ } |
|
117 |
+ |
|
118 |
+Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c |
|
119 |
+=================================================================== |
|
120 |
+--- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 663014) |
|
121 |
++++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy) |
|
122 |
+@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool |
|
123 |
+ else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { |
|
124 |
+ result = ssl_var_lookup_ssl_compress_meth(ssl); |
|
125 |
+ } |
|
126 |
++#ifndef OPENSSL_NO_TLSEXT |
|
127 |
++ else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { |
|
128 |
++ result = apr_pstrdup(p, SSL_get_servername(ssl, |
|
129 |
++ TLSEXT_NAMETYPE_host_name)); |
|
130 |
++ } |
|
131 |
++#endif |
|
132 |
+ return result; |
|
133 |
+ } |
|
134 |
+ |
|
135 |
+Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c |
|
136 |
+=================================================================== |
|
137 |
+--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014) |
|
138 |
++++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) |
|
139 |
+@@ -31,6 +31,9 @@ |
|
140 |
+ #include "ssl_private.h" |
|
141 |
+ |
|
142 |
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); |
|
143 |
++#ifndef OPENSSL_NO_TLSEXT |
|
144 |
++static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); |
|
145 |
++#endif |
|
146 |
+ |
|
147 |
+ /* |
|
148 |
+ * Post Read Request Handler |
|
149 |
+@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r) |
|
150 |
+ { |
|
151 |
+ SSLConnRec *sslconn = myConnConfig(r->connection); |
|
152 |
+ SSL *ssl; |
|
153 |
++#ifndef OPENSSL_NO_TLSEXT |
|
154 |
++ const char *servername; |
|
155 |
++#endif |
|
156 |
+ |
|
157 |
+ if (!sslconn) { |
|
158 |
+ return DECLINED; |
|
159 |
+@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r) |
|
160 |
+ if (!ssl) { |
|
161 |
+ return DECLINED; |
|
162 |
+ } |
|
163 |
++#ifndef OPENSSL_NO_TLSEXT |
|
164 |
++ if (!r->hostname && |
|
165 |
++ (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { |
|
166 |
++ /* Use the SNI extension as the hostname if no Host: header was sent */ |
|
167 |
++ r->hostname = apr_pstrdup(r->pool, servername); |
|
168 |
++ ap_update_vhost_from_headers(r); |
|
169 |
++ } |
|
170 |
++#endif |
|
171 |
+ SSL_set_app_data2(ssl, r); |
|
172 |
+ |
|
173 |
+ /* |
|
174 |
+@@ -353,6 +367,11 @@ int ssl_hook_Access(request_rec *r) |
|
175 |
+ * currently active/remembered verify depth (because this means more |
|
176 |
+ * restriction on the certificate chain). |
|
177 |
+ */ |
|
178 |
++ if ((sc->server->auth.verify_depth != UNSET) && |
|
179 |
++ (dc->nVerifyDepth == UNSET)) { |
|
180 |
++ /* apply per-vhost setting, if per-directory config is not set */ |
|
181 |
++ dc->nVerifyDepth = sc->server->auth.verify_depth; |
|
182 |
++ } |
|
183 |
+ if (dc->nVerifyDepth != UNSET) { |
|
184 |
+ /* XXX: doesnt look like sslconn->verify_depth is actually used */ |
|
185 |
+ if (!(n = sslconn->verify_depth)) { |
|
186 |
+@@ -382,6 +401,11 @@ int ssl_hook_Access(request_rec *r) |
|
187 |
+ * verification but at least skip the I/O-intensive renegotation |
|
188 |
+ * handshake. |
|
189 |
+ */ |
|
190 |
++ if ((sc->server->auth.verify_mode != SSL_CVERIFY_UNSET) && |
|
191 |
++ (dc->nVerifyClient == SSL_CVERIFY_UNSET)) { |
|
192 |
++ /* apply per-vhost setting, if per-directory config is not set */ |
|
193 |
++ dc->nVerifyClient = sc->server->auth.verify_mode; |
|
194 |
++ } |
|
195 |
+ if (dc->nVerifyClient != SSL_CVERIFY_UNSET) { |
|
196 |
+ /* remember old state */ |
|
197 |
+ verify_old = SSL_get_verify_mode(ssl); |
|
198 |
+@@ -997,6 +1021,9 @@ int ssl_hook_Fixup(request_rec *r) |
|
199 |
+ SSLDirConfigRec *dc = myDirConfig(r); |
|
200 |
+ apr_table_t *env = r->subprocess_env; |
|
201 |
+ char *var, *val = ""; |
|
202 |
++#ifndef OPENSSL_NO_TLSEXT |
|
203 |
++ const char *servername; |
|
204 |
++#endif |
|
205 |
+ STACK_OF(X509) *peer_certs; |
|
206 |
+ SSL *ssl; |
|
207 |
+ int i; |
|
208 |
+@@ -1018,6 +1045,13 @@ int ssl_hook_Fixup(request_rec *r) |
|
209 |
+ /* the always present HTTPS (=HTTP over SSL) flag! */ |
|
210 |
+ apr_table_setn(env, "HTTPS", "on"); |
|
211 |
+ |
|
212 |
++#ifndef OPENSSL_NO_TLSEXT |
|
213 |
++ /* add content of SNI TLS extension (if supplied with ClientHello) */ |
|
214 |
++ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { |
|
215 |
++ apr_table_set(env, "SSL_TLS_SNI", servername); |
|
216 |
++ } |
|
217 |
++#endif |
|
218 |
++ |
|
219 |
+ /* standard SSL environment variables */ |
|
220 |
+ if (dc->nOptions & SSL_OPT_STDENVVARS) { |
|
221 |
+ for (i = 0; ssl_hook_Fixup_vars[i]; i++) { |
|
222 |
+@@ -1810,3 +1844,141 @@ void ssl_callback_LogTracingState(MODSSL |
|
223 |
+ } |
|
224 |
+ } |
|
225 |
+ |
|
226 |
++#ifndef OPENSSL_NO_TLSEXT |
|
227 |
++/* |
|
228 |
++ * This callback function is executed when OpenSSL encounters an extended |
|
229 |
++ * client hello with a server name indication extension ("SNI", cf. RFC 4366). |
|
230 |
++ */ |
|
231 |
++int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) |
|
232 |
++{ |
|
233 |
++ const char *servername = |
|
234 |
++ SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
|
235 |
++ |
|
236 |
++ if (servername) { |
|
237 |
++ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); |
|
238 |
++ if (c) { |
|
239 |
++ if (ap_vhost_iterate_given_conn(c, ssl_find_vhost, |
|
240 |
++ (void *)servername)) { |
|
241 |
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, |
|
242 |
++ "SSL virtual host for servername %s found", |
|
243 |
++ servername); |
|
244 |
++ return SSL_TLSEXT_ERR_OK; |
|
245 |
++ } |
|
246 |
++ else { |
|
247 |
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, |
|
248 |
++ "No matching SSL virtual host for servername " |
|
249 |
++ "%s found (using default/first virtual host)", |
|
250 |
++ servername); |
|
251 |
++ return SSL_TLSEXT_ERR_ALERT_WARNING; |
|
252 |
++ } |
|
253 |
++ } |
|
254 |
++ } |
|
255 |
++ |
|
256 |
++ return SSL_TLSEXT_ERR_NOACK; |
|
257 |
++} |
|
258 |
++ |
|
259 |
++/* |
|
260 |
++ * Find a (name-based) SSL virtual host where either the ServerName |
|
261 |
++ * or one of the ServerAliases matches the supplied name (to be used |
|
262 |
++ * with ap_vhost_iterate_given_conn()) |
|
263 |
++ */ |
|
264 |
++static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) |
|
265 |
++{ |
|
266 |
++ SSLSrvConfigRec *sc; |
|
267 |
++ SSL *ssl; |
|
268 |
++ BOOL found = FALSE; |
|
269 |
++ apr_array_header_t *names; |
|
270 |
++ int i; |
|
271 |
++ |
|
272 |
++ /* check ServerName */ |
|
273 |
++ if (!strcasecmp(servername, s->server_hostname)) { |
|
274 |
++ found = TRUE; |
|
275 |
++ } |
|
276 |
++ |
|
277 |
++ /* |
|
278 |
++ * if not matched yet, check ServerAlias entries |
|
279 |
++ * (adapted from vhost.c:matches_aliases()) |
|
280 |
++ */ |
|
281 |
++ if (!found) { |
|
282 |
++ names = s->names; |
|
283 |
++ if (names) { |
|
284 |
++ char **name = (char **)names->elts; |
|
285 |
++ for (i = 0; i < names->nelts; ++i) { |
|
286 |
++ if (!name[i]) |
|
287 |
++ continue; |
|
288 |
++ if (!strcasecmp(servername, name[i])) { |
|
289 |
++ found = TRUE; |
|
290 |
++ break; |
|
291 |
++ } |
|
292 |
++ } |
|
293 |
++ } |
|
294 |
++ } |
|
295 |
++ |
|
296 |
++ /* if still no match, check ServerAlias entries with wildcards */ |
|
297 |
++ if (!found) { |
|
298 |
++ names = s->wild_names; |
|
299 |
++ if (names) { |
|
300 |
++ char **name = (char **)names->elts; |
|
301 |
++ for (i = 0; i < names->nelts; ++i) { |
|
302 |
++ if (!name[i]) |
|
303 |
++ continue; |
|
304 |
++ if (!ap_strcasecmp_match(servername, name[i])) { |
|
305 |
++ found = TRUE; |
|
306 |
++ break; |
|
307 |
++ } |
|
308 |
++ } |
|
309 |
++ } |
|
310 |
++ } |
|
311 |
++ |
|
312 |
++ /* set SSL_CTX (if matched) */ |
|
313 |
++ if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) && |
|
314 |
++ (sc = mySrvConfig(s))) { |
|
315 |
++ SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx); |
|
316 |
++ /* |
|
317 |
++ * SSL_set_SSL_CTX() only deals with the server cert, |
|
318 |
++ * so we need to duplicate a few additional settings |
|
319 |
++ * from the ctx by hand |
|
320 |
++ */ |
|
321 |
++ SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx)); |
|
322 |
++ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || |
|
323 |
++ (SSL_num_renegotiations(ssl) == 0)) { |
|
324 |
++ /* |
|
325 |
++ * Only initialize the verification settings from the ctx |
|
326 |
++ * if they are not yet set, or if we're called when a new |
|
327 |
++ * SSL connection is set up (num_renegotiations == 0). |
|
328 |
++ * Otherwise, we would possibly reset a per-directory |
|
329 |
++ * configuration which was put into effect by ssl_hook_Access. |
|
330 |
++ */ |
|
331 |
++ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), |
|
332 |
++ SSL_CTX_get_verify_callback(ssl->ctx)); |
|
333 |
++ } |
|
334 |
++ |
|
335 |
++ /* |
|
336 |
++ * We also need to make sure that the correct mctx |
|
337 |
++ * (accessed through the c->base_server->module_config vector) |
|
338 |
++ * is assigned to the connection - the CRL callback e.g. |
|
339 |
++ * makes use of it for retrieving its store (mctx->crl). |
|
340 |
++ * Since logging in callbacks uses c->base_server in many |
|
341 |
++ * cases, it also ensures that these messages are routed |
|
342 |
++ * to the proper log. |
|
343 |
++ */ |
|
344 |
++ c->base_server = s; |
|
345 |
++ |
|
346 |
++ /* |
|
347 |
++ * There is one special filter callback, which is set |
|
348 |
++ * very early depending on the base_server's log level. |
|
349 |
++ * If this is not the first vhost we're now selecting |
|
350 |
++ * (and the first vhost doesn't use APLOG_DEBUG), then |
|
351 |
++ * we need to set that callback here. |
|
352 |
++ */ |
|
353 |
++ if (c->base_server->loglevel >= APLOG_DEBUG) { |
|
354 |
++ BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); |
|
355 |
++ BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); |
|
356 |
++ } |
|
357 |
++ |
|
358 |
++ return 1; |
|
359 |
++ } |
|
360 |
++ |
|
361 |
++ return 0; |
|
362 |
++} |
|
363 |
++#endif |
|
364 |
+Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h |
|
365 |
+=================================================================== |
|
366 |
+--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 663014) |
|
367 |
++++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy) |
|
368 |
+@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char * |
|
369 |
+ #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP |
|
370 |
+ #endif |
|
371 |
+ |
|
372 |
++#ifndef OPENSSL_NO_TLSEXT |
|
373 |
++#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME |
|
374 |
++#define OPENSSL_NO_TLSEXT |
|
375 |
++#endif |
|
376 |
++#endif |
|
377 |
++ |
|
378 |
+ #endif /* SSL_TOOLKIT_COMPAT_H */ |
|
379 |
+ |
|
380 |
+ /** @} */ |
|
0 | 381 |