Draft: Add SSLVHostSNIPolicy directive, which sets a global

policy for SSL configuration compatibility between VirtualHosts.

 SSLVHostSNIPolicy
    strict   => fail for any vhost mismatch
    authonly => fail only for client verification/auth differences
    secure   => fail as authonly plus ciphersuite, protocol, keypair diff
    insecure => allow everything

"secure" is the default.

PR: 69743

Author: notroj

modules/ssl/mod_ssl.c

@@ -95,6 +95,8 @@ static const command_rec ssl_config_cmds[] = {
     SSL_CMD_SRV(RandomSeed, TAKE23,
                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
                 "('startup|connect builtin|file:/path|exec:/path [bytes]')")
+    SSL_CMD_SRV(VHostSNIPolicy, TAKE1,
+                "SSL VirtualHost SNI compatibility policy setting")
 
     /*
      * Per-server context configuration directives

modules/ssl/ssl_engine_config.c

@@ -60,6 +60,9 @@ static SSLModConfigRec *ssl_config_global_create(apr_pool_t *pool, server_rec *s
      * initialize per-module configuration
      */
     mc->sesscache_mode         = SSL_SESS_CACHE_OFF;
+#ifdef HAVE_TLSEXT
+    mc->snivh_policy           = MODSSL_SNIVH_SECURE;
+#endif
 #ifdef MODSSL_USE_SSLRAND
     mc->aRandSeed              = apr_array_make(pool, 4,
                                                 sizeof(ssl_randseed_t));
@@ -2038,6 +2041,45 @@ const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag
 #endif
 }
 
+const char *ssl_cmd_SSLVHostSNIPolicy(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+#ifdef HAVE_TLSEXT
+    SSLModConfigRec *mc = myModConfig(cmd->server);
+    const char *err;
+
+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+        return err;
+    }
+    if (!mc) {
+        return "SSLVHostSNIPolicy cannot be used inside SSLPolicyDefine";
+    }
+
+    if (strcEQ(arg, "secure")) {
+        mc->snivh_policy = MODSSL_SNIVH_SECURE;
+    }
+    else if (strcEQ(arg, "strict")) {
+        mc->snivh_policy = MODSSL_SNIVH_STRICT;
+    }
+    else if (strcEQ(arg, "insecure")) {
+        mc->snivh_policy = MODSSL_SNIVH_INSECURE;
+    }
+    else if (strcEQ(arg, "authonly")) {
+        mc->snivh_policy = MODSSL_SNIVH_AUTHONLY;
+    }
+    else {
+        return apr_psprintf(cmd->pool, "Invalid SSLVhostSNIPolicy "
+                            "argument '%s'", arg);
+    }
+
+    return NULL;
+#else
+    return "SSLVHostSNIPolicy cannot be used, OpenSSL is not built with "
+        "support for TLS extensions and SNI indication. Refer to the "
+        "documentation, and build a compatible version of OpenSSL."
+#endif
+}
+
+
 #ifdef HAVE_OCSP_STAPLING
 
 const char *ssl_cmd_SSLStaplingCache(cmd_parms *cmd,

modules/ssl/ssl_engine_kernel.c

@@ -126,21 +126,63 @@ static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
     return 1;
 }
 
-static int ssl_pk_server_compatible(modssl_pk_server_t *pks1, 
-                                    modssl_pk_server_t *pks2) 
+#ifdef HAVE_SSL_CONF_CMD
+static int array_contains_ssl_param(apr_array_header_t *a,
+                                    const char *name, const char *value)
 {
-    if (!pks1 || !pks2) {
+    int n;
+
+    for (n = 0; n < a->nelts; n++) {
+        ssl_ctx_param_t *p = &APR_ARRAY_IDX(a, n, ssl_ctx_param_t);
+
+        if (strcmp(p->name, name) == 0 && strcmp(p->value, value) == 0)
+            return 1;
+    }
+
+    return 0;
+}
+
+/* Return non-zero if the two ssl_ctx_param arrays match exactly, else
+ * zero. */
+static int array_cmp_ssl_ctx_params(apr_array_header_t *a1,
+                                    apr_array_header_t *a2)
+{
+    int n;
+
+    if (a1 == a2)
+        return 1;
+    if (a1->nelts != a2->nelts)
         return 0;
+
+    for (n = 0; n < a1->nelts; n++) {
+        ssl_ctx_param_t *p = &APR_ARRAY_IDX(a1, n, ssl_ctx_param_t);
+
+        if (!array_contains_ssl_param(a2, p->name, p->value))
+            return 0;
     }
-    /* both have the same certificates? */
-    if ((pks1->ca_name_path != pks2->ca_name_path)
-        && (!pks1->ca_name_path || !pks2->ca_name_path 
-            || strcmp(pks1->ca_name_path, pks2->ca_name_path))) {
+
+    return 1;
+}
+#endif
+
+#define MATCH_STR_CONFIG(a_, b_) ((a_ != b_) && (!a_ || !b_ || strcmp(a_, b_)))
+
+static int ssl_pk_server_compatible(SSLSrvConfigRec *sc1,
+                                    SSLSrvConfigRec *sc2)
+{
+    modssl_pk_server_t *pks1 = sc1->server->pks, *pks2 = sc2->server->pks;
+    modssl_auth_ctx_t *a1 = &sc1->server->auth, *a2 = &sc2->server->auth;
+
+    if (sc1->server->protocol != sc2->server->protocol)
+        return 0;
+
+    /* Check both TLS<1.3 and TLS/1.3 cipher config matches */
+    if (MATCH_STR_CONFIG(a1->cipher_suite, a2->cipher_suite)
+        || MATCH_STR_CONFIG(a1->tls13_ciphers, a2->tls13_ciphers)) {
         return 0;
     }
-    if ((pks1->ca_name_file != pks2->ca_name_file)
-        && (!pks1->ca_name_file || !pks2->ca_name_file 
-            || strcmp(pks1->ca_name_file, pks2->ca_name_file))) {
+
+    if (!pks1 || !pks2) {
         return 0;
     }
     if (!ap_array_same_str_set(pks1->cert_files, pks2->cert_files)
@@ -150,67 +192,72 @@ static int ssl_pk_server_compatible(modssl_pk_server_t *pks1,
     return 1;
 }
 
-static int ssl_auth_compatible(modssl_auth_ctx_t *a1, 
-                               modssl_auth_ctx_t *a2) 
+static int ssl_auth_compatible(SSLSrvConfigRec *sc1, SSLSrvConfigRec *sc2)
 {
-    if (!a1 || !a2) {
-        return 0;
-    }
+    modssl_ctx_t *ctx1 = sc1->server, *ctx2 = sc2->server;
+    modssl_pk_server_t *pks1 = ctx1->pks, *pks2 = ctx2->pks;
+    modssl_auth_ctx_t *a1 = &ctx1->auth, *a2 = &ctx2->auth;
+
     /* both have the same verification */
     if ((a1->verify_depth != a2->verify_depth)
         || (a1->verify_mode != a2->verify_mode)) {
         return 0;
     }
-    /* both have the same ca path/file */
-    if ((a1->ca_cert_path != a2->ca_cert_path)
-        && (!a1->ca_cert_path || !a2->ca_cert_path 
-            || strcmp(a1->ca_cert_path, a2->ca_cert_path))) {
-        return 0;
-    }
-    if ((a1->ca_cert_file != a2->ca_cert_file)
-        && (!a1->ca_cert_file || !a2->ca_cert_file 
-            || strcmp(a1->ca_cert_file, a2->ca_cert_file))) {
-        return 0;
-    }
-    /* both have the same ca cipher suite string */
-    if ((a1->cipher_suite != a2->cipher_suite)
-        && (!a1->cipher_suite || !a2->cipher_suite 
-            || strcmp(a1->cipher_suite, a2->cipher_suite))) {
+
+    /* Check that CA, CRL and OCSP settings match. */
+    if (MATCH_STR_CONFIG(pks1->ca_name_path, pks2->ca_name_path)
+        || MATCH_STR_CONFIG(pks1->ca_name_file, pks2->ca_name_file)
+        || MATCH_STR_CONFIG(a1->ca_cert_path, a2->ca_cert_path)
+        || MATCH_STR_CONFIG(a1->ca_cert_file, a2->ca_cert_file)
+        || MATCH_STR_CONFIG(ctx1->crl_path, ctx2->crl_path)
+        || MATCH_STR_CONFIG(ctx1->crl_file, ctx2->crl_file)
+        || ctx1->crl_check_mask != ctx2->crl_check_mask
+        || ctx1->ocsp_mask != ctx2->ocsp_mask
+        || ctx1->ocsp_force_default != ctx2->ocsp_force_default
+        || MATCH_STR_CONFIG(ctx1->ocsp_responder, ctx2->ocsp_responder)) {
         return 0;
     }
-    /* both have the same ca cipher suite string */
-    if ((a1->tls13_ciphers != a2->tls13_ciphers)
-        && (!a1->tls13_ciphers || !a2->tls13_ciphers 
-            || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) {
+
+#ifdef HAVE_SRP
+    if (MATCH_STR_CONFIG(ctx1->srp_vfile, ctx2->srp_vfile))
         return 0;
-    }
-    return 1;
-}
+#endif
 
-static int ssl_ctx_compatible(modssl_ctx_t *ctx1, 
-                              modssl_ctx_t *ctx2) 
-{
-    if (!ctx1 || !ctx2 
-        || (ctx1->protocol != ctx2->protocol)
-        || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth)
-        || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) {
+#ifdef HAVE_SSL_CONF_CMD
+    /* Without validating (and understanding) each specific
+     * SSLOpenSSLConfCmd command, assume any difference is
+     * relevant to authentication. */
+    if (!array_cmp_ssl_ctx_params(ctx1->ssl_ctx_param, ctx2->ssl_ctx_param))
         return 0;
-    }
+#endif
+
     return 1;
 }
 
-static int ssl_server_compatible(server_rec *s1, server_rec *s2)
+/* Check whether a transition from vhost sc1 to sc2 via SNI is
+ * permitted according to the SSLVHostSNIPolicy setting.  Returns 1 if
+ * the policy treats the vhosts as compatible, else 0. */
+static int ssl_check_vhost_sni_policy(SSLSrvConfigRec *sc1,
+                                      SSLSrvConfigRec *sc2)
 {
-    SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL;
-    SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL;
+    modssl_snivhpolicy_t policy = sc1->mc->snivh_policy;
 
-    /* both use the same TLS protocol? */
-    if (!sc1 || !sc2 
-        || !ssl_ctx_compatible(sc1->server, sc2->server)) {
-        return 0;
-    }
+    /* Policy: insecure => allow everything. */
+    if (policy == MODSSL_SNIVH_INSECURE)
+        return 1;
 
-    return 1;
+    /* Policy: strict => fail for any vhost transition. */
+    if (policy == MODSSL_SNIVH_STRICT && sc1 != sc2)
+        return 0;
+
+    /* Policy: secure => fail for any difference in definition of
+     * SSLProtocol/Cipher, certs or keys. */
+    if (policy == MODSSL_SNIVH_SECURE && !ssl_pk_server_compatible(sc1, sc2))
+        return 0;
+
+    /* Policy: authonly or secure => fail for any differences in
+     * authentication/trust setting. */
+    return ssl_auth_compatible(sc1, sc2);
 }
 #endif
 
@@ -279,6 +326,8 @@ int ssl_hook_ReadReq(request_rec *r)
         server_rec *handshakeserver = sslconn->server;
         SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
 
+        AP_DEBUG_ASSERT(hssc);
+
         if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
             /*
              * The SNI extension supplied a hostname. So don't accept requests
@@ -319,19 +368,14 @@ int ssl_hook_ReadReq(request_rec *r)
                            "which is required to access this server.<br />\n");
             return HTTP_FORBIDDEN;
         }
-        if (r->server != handshakeserver
-            && !ssl_server_compatible(sslconn->server, r->server)) {
-            /*
-             * The request does not select the virtual host that was
-             * selected for handshaking and its SSL parameters are different
-             */
-
+        /* Enforce SSL SNI vhost compatibility policy. */
+        if (!ssl_check_vhost_sni_policy(sc, hssc)) {
             ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032)
-                         "Hostname %s %s and hostname %s provided"
-                         " via HTTP have no compatible SSL setup",
+                          "Hostname %s %s and hostname %s provided"
+                         " via HTTP have no compatible SSL setup for policy '%s'",
                          servername ? servername : handshakeserver->server_hostname,
                          servername ? "provided via SNI" : "(default host as no SNI was provided)",
-                         r->hostname);
+                          r->hostname, MODSSL_SNIVH_NAME(sc->mc->snivh_policy));
             return HTTP_MISDIRECTED_REQUEST;
         }
     }

modules/ssl/ssl_private.h

@@ -558,6 +558,18 @@ typedef struct {
     int          nBytes;
 } ssl_randseed_t;
 
+typedef enum {
+    MODSSL_SNIVH_STRICT   = 0, /* default */
+    MODSSL_SNIVH_SECURE   = 1,
+    MODSSL_SNIVH_AUTHONLY = 2,
+    MODSSL_SNIVH_INSECURE = 3
+} modssl_snivhpolicy_t;
+
+#define MODSSL_SNIVH_NAME(p_) ((p_) == MODSSL_SNIVH_STRICT ? "strict" : \
+                               ((p_) == MODSSL_SNIVH_SECURE ? "secure" : \
+                                ((p_) == MODSSL_SNIVH_AUTHONLY ? "authonly" : "insecure" )))
+
+
 /**
  * Define the structure of an ASN.1 anything
  */
@@ -723,6 +735,8 @@ typedef struct {
 #ifdef HAVE_FIPS
     BOOL             fips;
 #endif
+
+    modssl_snivhpolicy_t snivh_policy;
 } SSLModConfigRec;
 
 /** Structure representing configured filenames for certs and keys for
@@ -961,6 +975,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
 const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
 const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
+const char  *ssl_cmd_SSLVHostSNIPolicy(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
 
 const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);