Petr Gajdos
a7a532682b
- unified ciphers with SLE-12
* modified patches:
mod_nss-cipherlist_update_for_tls12-doc.diff
mod_nss-cipherlist_update_for_tls12.diff
update-ciphers.patch
- send TLS server name extension on proxy connections (bsc#933832)
* added mod_nss-reverse_proxy_send_SNI.patch
- updates to the SNI code (from Stanislav Tokos):
update update-ciphers.patch
(bsc#928039)
merge changes from the mod_nss-SNI_support.patch to:
0001-SNI-check-with-NameVirtualHosts.patch
(bnc#927402)
abstract hash for NSSNickname and ServerName, add ServerAliases and Wild
Cards for vhost
(bsc#927402, bsc#928039, bsc#930922)
replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts)
(bsc#930186)
add alert about permission on the certificate database
(bsc#933265)
OBS-URL: https://build.opensuse.org/request/show/335921
OBS-URL: https://build.opensuse.org/package/show/Apache:Modules/apache2-mod_nss?expand=0&rev=14
65 lines
2.3 KiB
Diff
65 lines
2.3 KiB
Diff
Index: mod_nss-1.0.8/nss_engine_io.c
|
|
===================================================================
|
|
--- mod_nss-1.0.8.orig/nss_engine_io.c 2015-09-01 09:04:16.141175064 +0200
|
|
+++ mod_nss-1.0.8/nss_engine_io.c 2015-09-01 09:04:17.985198759 +0200
|
|
@@ -664,6 +664,37 @@ static apr_status_t nss_io_filter_cleanu
|
|
return APR_SUCCESS;
|
|
}
|
|
|
|
+static apr_status_t nss_io_filter_handshake(ap_filter_t *f)
|
|
+{
|
|
+ conn_rec *c = f->c;
|
|
+ SSLConnRec *sslconn = myConnConfig(c);
|
|
+
|
|
+ /*
|
|
+ * Enable SNI for backend requests. Make sure we don't do it for
|
|
+ * pure SSLv3 connections
|
|
+ */
|
|
+ if (sslconn->is_proxy) {
|
|
+ const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname");
|
|
+ if (hostname_note) {
|
|
+ if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) {
|
|
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
|
|
+ "Error setting SNI extension for SSL Proxy request: %d",
|
|
+ PR_GetError());
|
|
+ } else {
|
|
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
|
|
+ "SNI extension for SSL Proxy request set to '%s'",
|
|
+ hostname_note);
|
|
+ }
|
|
+ }
|
|
+ else {
|
|
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
|
|
+ "Can't set SNI extension: no hostname available");
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return APR_SUCCESS;
|
|
+}
|
|
+
|
|
static apr_status_t nss_io_filter_input(ap_filter_t *f,
|
|
apr_bucket_brigade *bb,
|
|
ap_input_mode_t mode,
|
|
@@ -699,6 +730,10 @@ static apr_status_t nss_io_filter_input(
|
|
inctx->mode = mode;
|
|
inctx->block = block;
|
|
|
|
+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
|
|
+ return nss_io_filter_error(f, bb, status);
|
|
+ }
|
|
+
|
|
if (is_init) {
|
|
/* protocol module needs to handshake before sending
|
|
* data to client (e.g. NNTP or FTP)
|
|
@@ -820,6 +855,10 @@ static apr_status_t nss_io_filter_output
|
|
inctx->mode = AP_MODE_READBYTES;
|
|
inctx->block = APR_BLOCK_READ;
|
|
|
|
+ if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
|
|
+ return nss_io_filter_error(f, bb, status);
|
|
+ }
|
|
+
|
|
while (!APR_BRIGADE_EMPTY(bb)) {
|
|
apr_bucket *bucket = APR_BRIGADE_FIRST(bb);
|
|
|