Changeset de3fad3 in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Oct 24, 2018, 12:56:08 PM (2 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
20c3f7b
Parents:
15368a4
Message:

Require handshake and request to use the same server

The new check prevents clients from establishing a TLS connection to
one virtual host and then requesting data from another. This is
particularly important for servers using TLS client authentication as
the only means of access control, because the server context for
certificate validation is selected based on the TLS connection.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r15368a4 rde3fad3  
    12211221
    12221222
     1223/* Post request hook, checks if TLS connection and vhost match */
     1224int mgs_req_vhost_check(request_rec *r)
     1225{
     1226    /* mod_gnutls server record for the request vhost */
     1227    mgs_srvconf_rec *r_sc = (mgs_srvconf_rec *)
     1228        ap_get_module_config(r->server->module_config, &gnutls_module);
     1229    mgs_handle_t *ctxt = get_effective_gnutls_ctxt(r->connection);
     1230
     1231    /* Nothing to check for non-TLS and outgoing proxy connections */
     1232    if (ctxt == NULL || !ctxt->enabled || ctxt->is_proxy)
     1233        return DECLINED;
     1234
     1235    if (ctxt->sc != r_sc)
     1236    {
     1237        ap_log_cerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, ctxt->c,
     1238                      "%s: Mismatch between handshake and request servers!",
     1239                      __func__);
     1240        return HTTP_MISDIRECTED_REQUEST;
     1241    }
     1242
     1243    return DECLINED;
     1244}
     1245
     1246
     1247
    12231248int mgs_hook_fixups(request_rec * r) {
    12241249    unsigned char sbuf[GNUTLS_MAX_SESSION_ID];
Note: See TracChangeset for help on using the changeset viewer.