[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 55707] SSLProtocol directive seem to be ignored over different virtualhosts on the same ip+port


Mike Haller <mike@xxxxxxxxxxxx> changed:

           What    |Removed                     |Added
                 CC|                            |mike@xxxxxxxxxxxx

--- Comment #7 from Mike Haller <mike@xxxxxxxxxxxx> ---
Created attachment 35848
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35848&action=edit
Reject connections not conforming to vhost SSLProtocol

This was developed and tested with 2.4.27 and in production with that
version.  The patch was modified for 2.4.33 and lightly tested.

This checks the version of the connection against the SSLProtocol
configured for the virtual host that is matched based on the SNI.
Because the connection is initially made with the SSLProtocol configured
for the default host for the port, the default host must include all
protocols that will be supported by any virtual host.

This patch adds an additional return status of APR_EMISMATCH to the
init_vhost function so that the ssl_callback_ServerNameIndication
callback registered with OpenSSL can return fatal alert
SSL_AD_PROTOCOL_VERSION. This is intended to produce the same response
to the ClientHello as having an SSLProtocol specified that does not
include the version in question.  Because the SNI callback is called
during the processing of the ClientHello and before a response is
produced, it seems to do exactly that.

Feedback is welcome.

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx