* This function sets the virtual host from an extended * client hello with a server name indication extension ("SNI", cf. RFC 6066). */
| 2203 | * client hello with a server name indication extension ("SNI", cf. RFC 6066). |
| 2204 | */ |
| 2205 | static apr_status_t init_vhost(conn_rec *c, SSL *ssl, const char *servername) |
| 2206 | { |
| 2207 | if (c) { |
| 2208 | SSLConnRec *sslcon = myConnConfig(c); |
| 2209 | |
| 2210 | if (sslcon->vhost_found) { |
| 2211 | /* already found the vhost? */ |
| 2212 | return sslcon->vhost_found > 0 ? APR_SUCCESS : APR_NOTFOUND; |
| 2213 | } |
| 2214 | sslcon->vhost_found = -1; |
| 2215 | |
| 2216 | if (!servername) { |
| 2217 | servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
| 2218 | } |
| 2219 | if (servername) { |
| 2220 | if (ap_vhost_iterate_given_conn(c, ssl_find_vhost, |
| 2221 | (void *)servername)) { |
| 2222 | ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02043) |
| 2223 | "SSL virtual host for servername %s found", |
| 2224 | servername); |
| 2225 | |
| 2226 | sslcon->vhost_found = +1; |
| 2227 | return APR_SUCCESS; |
| 2228 | } |
| 2229 | else { |
| 2230 | ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044) |
| 2231 | "No matching SSL virtual host for servername " |
| 2232 | "%s found (using default/first virtual host)", |
| 2233 | servername); |
| 2234 | /* |
| 2235 | * RFC 6066 section 3 says "It is NOT RECOMMENDED to send |
| 2236 | * a warning-level unrecognized_name(112) alert, because |
| 2237 | * the client's behavior in response to warning-level alerts |
| 2238 | * is unpredictable." |
| 2239 | * |
| 2240 | * To maintain backwards compatibility in mod_ssl, we |
| 2241 | * no longer send any alert (neither warning- nor fatal-level), |
| 2242 | * i.e. we take the second action suggested in RFC 6066: |
| 2243 | * "If the server understood the ClientHello extension but |
| 2244 | * does not recognize the server name, the server SHOULD take |
| 2245 | * one of two actions: either abort the handshake by sending |
| 2246 | * a fatal-level unrecognized_name(112) alert or continue |
| 2247 | * the handshake." |
| 2248 | */ |
| 2249 | } |
| 2250 | } |
| 2251 | else { |
| 2252 | ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02645) |
| 2253 | "Server name not provided via TLS extension " |
| 2254 | "(using default/first virtual host)"); |
| 2255 | } |
| 2256 | } |
| 2257 | |
| 2258 | return APR_NOTFOUND; |
| 2259 | } |
| 2260 | |
| 2261 | /* |
| 2262 | * This callback function is executed when OpenSSL encounters an extended |
no test coverage detected