source: server/common/patches/httpd-2.2.x-sni.patch @ 1109

Last change on this file since 1109 was 1102, checked in by mitchb, 17 years ago
Update to current version of the 2.2.x SNI patch
File size: 20.8 KB
RevLine 
[1102]1httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
2(see RFC 4366, "Transport Layer Security (TLS) Extensions")
[683]3
[1102]4Last updated 2009-04-08
[683]5
[1102]6based on a patch from the EdelKey project
7(http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
[683]8
[1102]9Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
10to work properly (ftp://ftp.openssl.org/snapshot/). OpenSSL versions
11prior to 0.9.8j must be configured explicitly for TLS extension support
12at compile time ("./config enable-tlsext").
13
[683]14Index: httpd-2.2.x/modules/ssl/ssl_private.h
15===================================================================
[1102]16--- httpd-2.2.x/modules/ssl/ssl_private.h       (revision 763153)
[683]17+++ httpd-2.2.x/modules/ssl/ssl_private.h       (working copy)
18@@ -35,6 +35,7 @@
19 #include "http_connection.h"
20 #include "http_request.h"
21 #include "http_protocol.h"
22+#include "http_vhost.h"
23 #include "util_script.h"
24 #include "util_filter.h"
25 #include "util_ebcdic.h"
[1102]26@@ -562,6 +563,9 @@ int          ssl_callback_NewSessionCacheEntry(SSL
[683]27 SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
28 void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
29 void         ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
30+#ifndef OPENSSL_NO_TLSEXT
31+int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
32+#endif
33 
34 /**  Session Cache Support  */
35 void         ssl_scache_init(server_rec *, apr_pool_t *);
36Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
37===================================================================
[1102]38--- httpd-2.2.x/modules/ssl/ssl_engine_init.c   (revision 763153)
[683]39+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c   (working copy)
[1102]40@@ -358,6 +358,33 @@ static void ssl_init_server_check(server_rec *s,
[683]41     }
42 }
43 
44+#ifndef OPENSSL_NO_TLSEXT
45+static void ssl_init_ctx_tls_extensions(server_rec *s,
46+                                        apr_pool_t *p,
47+                                        apr_pool_t *ptemp,
48+                                        modssl_ctx_t *mctx)
49+{
50+    /*
51+     * Configure TLS extensions support
52+     */
53+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
54+                 "Configuring TLS extension handling");
55+
56+    /*
57+     * Server name indication (SNI)
58+     */
59+    if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
60+                          ssl_callback_ServerNameIndication) ||
61+        !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {
62+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
63+                     "Unable to initialize TLS servername extension "
64+                     "callback (incompatible OpenSSL version?)");
65+        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
66+        ssl_die();
67+    }
68+}
69+#endif
70+
71 static void ssl_init_ctx_protocol(server_rec *s,
72                                   apr_pool_t *p,
73                                   apr_pool_t *ptemp,
[1102]74@@ -690,6 +717,9 @@ static void ssl_init_ctx(server_rec *s,
[683]75     if (mctx->pks) {
76         /* XXX: proxy support? */
77         ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
78+#ifndef OPENSSL_NO_TLSEXT
79+        ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
80+#endif
81     }
82 }
83 
[1102]84@@ -1039,9 +1069,19 @@ void ssl_init_CheckServers(server_rec *base_server
[816]85         klen = strlen(key);
86 
[683]87         if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
[816]88-            ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
89+            ap_log_error(APLOG_MARK,
90+#ifdef OPENSSL_NO_TLSEXT
91+                         APLOG_WARNING,
92+#else
93+                         APLOG_DEBUG,
94+#endif
95+                         0,
[683]96                          base_server,
97+#ifdef OPENSSL_NO_TLSEXT
98                          "Init: SSL server IP/port conflict: "
99+#else
100+                         "Init: SSL server IP/port overlap: "
101+#endif
102                          "%s (%s:%d) vs. %s (%s:%d)",
103                          ssl_util_vhostid(p, s),
104                          (s->defn_name ? s->defn_name : "unknown"),
[1102]105@@ -1058,8 +1098,14 @@ void ssl_init_CheckServers(server_rec *base_server
[683]106 
107     if (conflict) {
108         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
109+#ifdef OPENSSL_NO_TLSEXT
110                      "Init: You should not use name-based "
111                      "virtual hosts in conjunction with SSL!!");
112+#else
113+                     "Init: Name-based SSL virtual hosts only "
114+                     "work for clients with TLS server name indication "
115+                     "support (RFC 4366)");
116+#endif
117     }
118 }
119 
120Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c
121===================================================================
[1102]122--- httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (revision 763153)
[683]123+++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c   (working copy)
[1102]124@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, con
[683]125     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
126         result = ssl_var_lookup_ssl_compress_meth(ssl);
127     }
128+#ifndef OPENSSL_NO_TLSEXT
129+    else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
130+        result = apr_pstrdup(p, SSL_get_servername(ssl,
131+                                                   TLSEXT_NAMETYPE_host_name));
132+    }
133+#endif
134     return result;
135 }
136 
137Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
138===================================================================
[1102]139--- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 763153)
[683]140+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy)
141@@ -31,6 +31,9 @@
142 #include "ssl_private.h"
143 
144 static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
145+#ifndef OPENSSL_NO_TLSEXT
146+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
147+#endif
148 
149 /*
150  *  Post Read Request Handler
[816]151@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r)
[683]152 {
153     SSLConnRec *sslconn = myConnConfig(r->connection);
154     SSL *ssl;
155+#ifndef OPENSSL_NO_TLSEXT
156+    const char *servername;
157+#endif
158 
159     if (!sslconn) {
160         return DECLINED;
[1102]161@@ -87,6 +93,34 @@ int ssl_hook_ReadReq(request_rec *r)
[683]162     if (!ssl) {
163         return DECLINED;
164     }
165+#ifndef OPENSSL_NO_TLSEXT
[1102]166+    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
167+        char *host, *scope_id;
168+        apr_port_t port;
169+        apr_status_t rv;
170+
171+        /*
172+         * The SNI extension supplied a hostname. So don't accept requests
173+         * with either no hostname or a different hostname.
174+         */
175+        if (!r->hostname) {
176+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
177+                        "Hostname %s provided via SNI, but no hostname"
178+                        " provided in HTTP request", servername);
179+            return HTTP_BAD_REQUEST;
180+        }
181+        rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
182+        if (rv != APR_SUCCESS || scope_id) {
183+            return HTTP_BAD_REQUEST;
184+        }
185+        if (strcmp(host, servername)) {
186+            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
187+                        "Hostname %s provided via SNI and hostname %s provided"
188+                        " via HTTP are different", servername, host);
189+            return HTTP_BAD_REQUEST;
190+        }
[683]191+    }
192+#endif
193     SSL_set_app_data2(ssl, r);
194 
195     /*
[1102]196@@ -252,7 +286,7 @@ int ssl_hook_Access(request_rec *r)
[816]197      *   has to enable this via ``SSLOptions +OptRenegotiate''. So we do no
198      *   implicit optimizations.
199      */
200-    if (dc->szCipherSuite) {
201+    if (dc->szCipherSuite || (r->server != r->connection->base_server)) {
202         /* remember old state */
203 
204         if (dc->nOptions & SSL_OPT_OPTRENEGOTIATE) {
[1102]205@@ -267,7 +301,10 @@ int ssl_hook_Access(request_rec *r)
[816]206         }
207 
208         /* configure new state */
209-        if (!modssl_set_cipher_list(ssl, dc->szCipherSuite)) {
[1102]210+        if ((dc->szCipherSuite || sc->server->auth.cipher_suite) &&
211+            !modssl_set_cipher_list(ssl, dc->szCipherSuite ?
212+                                         dc->szCipherSuite :
213+                                         sc->server->auth.cipher_suite)) {
[816]214             ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
215                          r->server,
216                          "Unable to reconfigure (per-directory) "
[1102]217@@ -334,8 +371,13 @@ int ssl_hook_Access(request_rec *r)
[816]218             sk_SSL_CIPHER_free(cipher_list_old);
219         }
220 
221-        /* tracing */
222         if (renegotiate) {
223+#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
224+            if (sc->cipher_server_pref == TRUE) {
225+                SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
226+            }
227+#endif
228+            /* tracing */
229             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
230                          "Reconfigured cipher suite will force renegotiation");
231         }
[1102]232@@ -353,19 +395,15 @@ int ssl_hook_Access(request_rec *r)
[816]233      * currently active/remembered verify depth (because this means more
234      * restriction on the certificate chain).
235      */
236-    if (dc->nVerifyDepth != UNSET) {
[1102]237-        /* XXX: doesnt look like sslconn->verify_depth is actually used */
238-        if (!(n = sslconn->verify_depth)) {
239-            sslconn->verify_depth = n = sc->server->auth.verify_depth;
240-        }
241-
242-        /* determine whether a renegotiation has to be forced */
243-        if (dc->nVerifyDepth < n) {
244-            renegotiate = TRUE;
245-            ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
246-                         "Reduced client verification depth will force "
247-                         "renegotiation");
248-        }
249+    n = sslconn->verify_depth;
250+    sslconn->verify_depth = (dc->nVerifyDepth != UNSET) ?
251+                            dc->nVerifyDepth : sc->server->auth.verify_depth;
252+    if ((sslconn->verify_depth < n) ||
253+        ((n == 0) && (sc->server->auth.verify_depth == 0))) {
254+        renegotiate = TRUE;
255+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
256+                     "Reduced client verification depth will force "
257+                     "renegotiation");
258     }
[816]259 
[1102]260     /*
261@@ -382,18 +420,22 @@ int ssl_hook_Access(request_rec *r)
[816]262      * verification but at least skip the I/O-intensive renegotation
263      * handshake.
264      */
265-    if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
266+    if ((dc->nVerifyClient != SSL_CVERIFY_UNSET) ||
267+        (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
268         /* remember old state */
269         verify_old = SSL_get_verify_mode(ssl);
270         /* configure new state */
271         verify = SSL_VERIFY_NONE;
272 
273-        if (dc->nVerifyClient == SSL_CVERIFY_REQUIRE) {
274+        if ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
275+            (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE)) {
276             verify |= SSL_VERIFY_PEER_STRICT;
277         }
278 
279         if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
280-            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA))
281+            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
282+            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
283+            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
284         {
285             verify |= SSL_VERIFY_PEER;
286         }
[1102]287@@ -491,6 +533,40 @@ int ssl_hook_Access(request_rec *r)
[816]288                      "Changed client verification locations will force "
289                      "renegotiation");
290     }
291+#else
292+#ifndef OPENSSL_NO_TLSEXT
293+#define MODSSL_CFG_CA_NE(f, sc1, sc2) \
294+    (sc1->server->auth.f && \
295+     (!sc2->server->auth.f || \
296+      sc2->server->auth.f && strNE(sc1->server->auth.f, sc2->server->auth.f)))
297+
298+    /* If we're handling a request for a vhost other than the default one,
299+     * then we need to make sure that client authentication is properly
300+     * enforced. For clients supplying an SNI extension, the peer certificate
301+     * verification has happened in the handshake already (and r->server
302+     * has been set to r->connection->base_server). For non-SNI requests,
303+     * an additional check is needed here. If client authentication is
304+     * configured as mandatory, then we can only proceed if the CA list
305+     * doesn't have to be changed (SSL_set_cert_store() would be required
306+     * for this).
307+     */
308+    if ((r->server != r->connection->base_server) &&
309+        (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
310+        renegotiate &&
311+        !(SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
312+        SSLSrvConfigRec *bssc = mySrvConfig(r->connection->base_server);
313+
314+        if (MODSSL_CFG_CA_NE(ca_cert_file, sc, bssc) ||
315+            MODSSL_CFG_CA_NE(ca_cert_path, sc, bssc)) {
316+            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
317+                 "Non-default virtual host with SSLVerify set to 'require' "
318+                 "and VirtualHost-specific CA certificate list is only "
319+                 "supported for clients with TLS server name indication "
320+                 "(SNI) support");
321+            return HTTP_FORBIDDEN;
322+        }
323+    }
324+#endif /* OPENSSL_NO_TLSEXT */
325 #endif /* HAVE_SSL_SET_CERT_STORE */
326 
327     /* If a renegotiation is now required for this location, and the
[1102]328@@ -675,8 +751,10 @@ int ssl_hook_Access(request_rec *r)
[816]329         /*
330          * Finally check for acceptable renegotiation results
331          */
332-        if (dc->nVerifyClient != SSL_CVERIFY_NONE) {
333-            BOOL do_verify = (dc->nVerifyClient == SSL_CVERIFY_REQUIRE);
334+        if ((dc->nVerifyClient != SSL_CVERIFY_NONE) ||
335+            (sc->server->auth.verify_mode != SSL_CVERIFY_NONE)) {
336+            BOOL do_verify = ((dc->nVerifyClient == SSL_CVERIFY_REQUIRE) ||
337+                              (sc->server->auth.verify_mode == SSL_CVERIFY_REQUIRE));
338 
339             if (do_verify && (SSL_get_verify_result(ssl) != X509_V_OK)) {
340                 ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
[1102]341@@ -1006,6 +1084,9 @@ int ssl_hook_Fixup(request_rec *r)
[683]342     SSLDirConfigRec *dc = myDirConfig(r);
343     apr_table_t *env = r->subprocess_env;
344     char *var, *val = "";
345+#ifndef OPENSSL_NO_TLSEXT
346+    const char *servername;
347+#endif
348     STACK_OF(X509) *peer_certs;
349     SSL *ssl;
350     int i;
[1102]351@@ -1027,6 +1108,13 @@ int ssl_hook_Fixup(request_rec *r)
[683]352     /* the always present HTTPS (=HTTP over SSL) flag! */
353     apr_table_setn(env, "HTTPS", "on");
354 
355+#ifndef OPENSSL_NO_TLSEXT
356+    /* add content of SNI TLS extension (if supplied with ClientHello) */
357+    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
358+        apr_table_set(env, "SSL_TLS_SNI", servername);
359+    }
360+#endif
361+
362     /* standard SSL environment variables */
363     if (dc->nOptions & SSL_OPT_STDENVVARS) {
364         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
[1102]365@@ -1175,8 +1263,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
[816]366     SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
367                                           SSL_get_ex_data_X509_STORE_CTX_idx());
368     conn_rec *conn      = (conn_rec *)SSL_get_app_data(ssl);
369-    server_rec *s       = conn->base_server;
370     request_rec *r      = (request_rec *)SSL_get_app_data2(ssl);
371+    server_rec *s       = r ? r->server : conn->base_server;
372 
373     SSLSrvConfigRec *sc = mySrvConfig(s);
374     SSLDirConfigRec *dc = r ? myDirConfig(r) : NULL;
[1102]375@@ -1299,7 +1387,10 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX
[816]376 
377 int ssl_callback_SSLVerify_CRL(int ok, X509_STORE_CTX *ctx, conn_rec *c)
378 {
379-    server_rec *s       = c->base_server;
380+    SSL *ssl = X509_STORE_CTX_get_ex_data(ctx,
381+                                          SSL_get_ex_data_X509_STORE_CTX_idx());
382+    request_rec *r      = (request_rec *)SSL_get_app_data2(ssl);
383+    server_rec *s       = r ? r->server : c->base_server;
384     SSLSrvConfigRec *sc = mySrvConfig(s);
385     SSLConnRec *sslconn = myConnConfig(c);
386     modssl_ctx_t *mctx  = myCtxConfig(sslconn, sc);
[1102]387@@ -1819,3 +1910,141 @@ void ssl_callback_LogTracingState(MODSSL_INFO_CB_A
[683]388     }
389 }
390 
391+#ifndef OPENSSL_NO_TLSEXT
392+/*
393+ * This callback function is executed when OpenSSL encounters an extended
394+ * client hello with a server name indication extension ("SNI", cf. RFC 4366).
395+ */
396+int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
397+{
398+    const char *servername =
399+                SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
400+
401+    if (servername) {
402+        conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
403+        if (c) {
404+            if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
405+                                            (void *)servername)) {
406+                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
407+                              "SSL virtual host for servername %s found",
408+                              servername);
409+                return SSL_TLSEXT_ERR_OK;
410+            }
411+            else {
412+                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
413+                              "No matching SSL virtual host for servername "
414+                              "%s found (using default/first virtual host)",
415+                              servername);
416+                return SSL_TLSEXT_ERR_ALERT_WARNING;
417+            }
418+        }
419+    }
420+
421+    return SSL_TLSEXT_ERR_NOACK;
422+}
423+
424+/*
425+ * Find a (name-based) SSL virtual host where either the ServerName
426+ * or one of the ServerAliases matches the supplied name (to be used
427+ * with ap_vhost_iterate_given_conn())
428+ */
429+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
430+{
431+    SSLSrvConfigRec *sc;
432+    SSL *ssl;
433+    BOOL found = FALSE;
434+    apr_array_header_t *names;
435+    int i;
436+
437+    /* check ServerName */
438+    if (!strcasecmp(servername, s->server_hostname)) {
439+        found = TRUE;
440+    }
441+
442+    /*
443+     * if not matched yet, check ServerAlias entries
444+     * (adapted from vhost.c:matches_aliases())
445+     */
446+    if (!found) {
447+        names = s->names;
448+        if (names) {
449+            char **name = (char **)names->elts;
450+            for (i = 0; i < names->nelts; ++i) {
451+                if (!name[i])
452+                    continue;
453+                if (!strcasecmp(servername, name[i])) {
454+                    found = TRUE;
455+                    break;
456+                }
457+            }
458+        }
459+    }
460+
461+    /* if still no match, check ServerAlias entries with wildcards */
462+    if (!found) {
463+        names = s->wild_names;
464+        if (names) {
465+            char **name = (char **)names->elts;
466+            for (i = 0; i < names->nelts; ++i) {
467+                if (!name[i])
468+                    continue;
469+                if (!ap_strcasecmp_match(servername, name[i])) {
470+                    found = TRUE;
471+                    break;
472+                }
473+            }
474+        }
475+    }
476+
477+    /* set SSL_CTX (if matched) */
478+    if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
479+        (sc = mySrvConfig(s))) {
480+        SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
481+        /*
482+         * SSL_set_SSL_CTX() only deals with the server cert,
483+         * so we need to duplicate a few additional settings
484+         * from the ctx by hand
485+         */
486+        SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
487+        if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
488+            (SSL_num_renegotiations(ssl) == 0)) {
489+           /*
490+            * Only initialize the verification settings from the ctx
491+            * if they are not yet set, or if we're called when a new
492+            * SSL connection is set up (num_renegotiations == 0).
493+            * Otherwise, we would possibly reset a per-directory
494+            * configuration which was put into effect by ssl_hook_Access.
495+            */
496+            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
497+                           SSL_CTX_get_verify_callback(ssl->ctx));
498+        }
499+
500+        /*
[816]501+         * We also need to make sure that the correct mctx
502+         * (accessed through the c->base_server->module_config vector)
503+         * is assigned to the connection - the CRL callback e.g.
[683]504+         * makes use of it for retrieving its store (mctx->crl).
505+         * Since logging in callbacks uses c->base_server in many
506+         * cases, it also ensures that these messages are routed
[816]507+         * to the proper log.
[683]508+         */
509+        c->base_server = s;
[816]510+
511+        /*
512+         * There is one special filter callback, which is set
513+         * very early depending on the base_server's log level.
514+         * If this is not the first vhost we're now selecting
515+         * (and the first vhost doesn't use APLOG_DEBUG), then
516+         * we need to set that callback here.
517+         */
[683]518+        if (c->base_server->loglevel >= APLOG_DEBUG) {
519+            BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
520+            BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
521+        }
522+
523+        return 1;
524+    }
525+
526+    return 0;
527+}
528+#endif
529Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
530===================================================================
[1102]531--- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (revision 763153)
[683]532+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h        (working copy)
[1102]533@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *data);
[683]534 #define SSL_SESS_CACHE_NO_INTERNAL  SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
535 #endif
536 
537+#ifndef OPENSSL_NO_TLSEXT
538+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
539+#define OPENSSL_NO_TLSEXT
540+#endif
541+#endif
542+
543 #endif /* SSL_TOOLKIT_COMPAT_H */
544 
545 /** @} */
Note: See TracBrowser for help on using the repository browser.