Changeset 04753db8 in mod_gnutls


Ignore:
Timestamp:
Oct 26, 2018, 3:02:54 PM (3 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, debian/master, master, proxy-ticket
Children:
849b87e
Parents:
a14cf5c
Message:

Require Host header to match SNI hostname (if any)

This is a conformance check on top of requiring virtual hosts of
connection and request to match.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_hooks.c

    ra14cf5c r04753db8  
    12421242    }
    12431243
     1244    if (!ctxt->sni_name)
     1245        return DECLINED;
     1246
     1247    /* Got an SNI name, so verify it matches. */
     1248    ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
     1249                  "%s: Checking request hostname against SNI name '%s'.",
     1250                  __func__, ctxt->sni_name);
     1251
     1252    if (!r->hostname)
     1253    {
     1254        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, r->connection,
     1255                      "Client requested '%s' via SNI, but provided "
     1256                      "no hostname in HTTP request!", ctxt->sni_name);
     1257        return HTTP_MISDIRECTED_REQUEST;
     1258    }
     1259
     1260    if (strcasecmp(r->hostname, ctxt->sni_name) != 0)
     1261    {
     1262        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, r->connection,
     1263                      "Client requested '%s' via SNI, but '%s' in "
     1264                      "the HTTP request!", ctxt->sni_name, r->hostname);
     1265        return HTTP_MISDIRECTED_REQUEST;
     1266    }
     1267
    12441268    return DECLINED;
    12451269}
Note: See TracChangeset for help on using the changeset viewer.