git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [users@httpd] SNI extension for healthchecks


Hi Yann,

I solved it. The environment variable is read out by mod_ssl correctly. 
The Problem was that mod_proxy_hchceck does not use ap_proxy_determine_connection (which normally sets backend->ssl_hostname), but has it's own function hc_determine_connection.
so the backend->ssl_hostname, to which the environment variable is set, was null and therefore still no SNI.
It can be solved by setting backend->ssl_hostname in hc_get_backend. 

-------------------------------------------------------------
   TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 222
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 218
            Version: TLS 1.0 (0x0301)
            Random: d316a98e1b71beceba455598bdb3e8a23797ff2cf3202563...
            Session ID Length: 0
            Cipher Suites Length: 102
            Cipher Suites (51 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 75
            Extension: server_name (len=22)
            Extension: ec_point_formats (len=4)
            Extension: supported_groups (len=28)
            Extension: SessionTicket TLS (len=0)
            Extension: heartbeat (len=1)
-------------------------------------------------------------

I have attached your patch with this addition included.

Regards,
Dominik


> -----Ursprüngliche Nachricht-----
> Von: Stillhard, Dominik
> Gesendet: Dienstag, 23. Oktober 2018 16:15
> An: users@xxxxxxxxxxxxxxxx
> Betreff: AW: [users@httpd] SNI extension for healthchecks [signed OK]
> 
> Hi Yann,
> 
> I've tested your patch. It doesn't solve the problem. Still no SNI in healthchecks...
> 
> Regards Dominik
> 
> 
> > -----Ursprüngliche Nachricht-----
> > Von: Yann Ylavic <ylavic.dev@xxxxxxxxx>
> > Gesendet: Montag, 22. Oktober 2018 15:15
> > An: users@xxxxxxxxxxxxxxxx
> > Betreff: Re: [users@httpd] SNI extension for healthchecks
> >
> > Hi Dominik,
> >
> > On Mon, Oct 22, 2018 at 1:49 PM Dominik Stillhard <Dominik.Stillhard@united-
> security-
> > providers.ch> wrote:
> > >
> > > I've tested the configuration you proposed.
> > > Unfortunately the problem is not solved by using hostnames.
> >
> > Yes, sorry, I was looking at 2.5/trunk code, while 2.4.x is missing one commit
> > (http://svn.apache.org/r1818726).
> > Without this change in 2.4.x, hostnames work for proxied request but not for
> > healthcheck (supposedly).
> >
> > Could you please try with the attached patch (a backport of r1818726 to 2.4.x)?
> >
> > Regards,
> > Yann.

Attachment: SNI_extension_healthchecks.patch
Description: SNI_extension_healthchecks.patch

Attachment: smime.p7s
Description: S/MIME cryptographic signature