Bug 1434053

Summary: Unknown host or mismatch requests should return 400
Product: Red Hat Software Collections Reporter: Jan Houska <jhouska>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED NOTABUG QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: httpd24CC: jorton
Target Milestone: beta   
Target Release: 2.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Deprecated Functionality
Doc Text:
Previously, in an SSL/TLS configuration requiring name-based SSL virtual host selection, mod_ssl would reject requests with a "400 Bad Request" error, if the hostname provided in the "Host:" header did match the hostname provided in a Server Name Indication (SNI) header. Such requests are no longer rejected if the configured SSL/TLS security parameters are identical between the selected virtual hosts, in-line with the behaviour of upstream mod_ssl.
 Story Points: ---
Clone Of:
: 1638759 (view as bug list) Environment:
Last Closed: 2017-03-31 12:24:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1638759    

Description Jan Houska 2017-03-20 15:58:08 UTC 
Description of problem:
There was a regression found.  The httpd24 collection response incorrectly if   there is unknown host  and/or host mismatch in requests. The "400 Bad Request" is expected except we get "200 OK".  

Version:
httpd24-httpd-2.4.25-8.el7.x86_64  and 
httpd24-httpd-2.4.25-8.el6.x86_64 


How reproducible:
always

Steps to Reproduce:
1.run linked test (/CoreOS/httpd/Regression/bz714704-disable-SNI-if-not-required-by-configuration)
2.
3.

Actual results:
:: [   PASS   ] :: Trigger 400 with bad SNI hint (unknown host) (Expected 0-255, got 0)
HTTP/1.1 200 OK
Date: Fri, 03 Mar 2017 21:35:42 GMT
Server: Apache/2.4.25 (Red Hat) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.5.21 mod_wsgi/4.5.13 Python/2.7 mod_perl/2.0.9dev Perl/v5.20.1
Last-Modified: Fri, 03 Mar 2017 21:35:38 GMT
ETag: "e-549da53a5c3eb"
Accept-Ranges: bytes
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8

docroot-alpha
:: [   FAIL   ] :: File 'output' should contain '400 Bad Request' 
:: [  BEGIN   ] :: Trigger 400 with bad SNI hint (host mismatch) :: actually running './client alpha.test:443 beta.test alpha.test /beta.html > output'
writing GET /beta.html HTTP/1.0
Host: beta.test


:: [   PASS   ] :: Trigger 400 with bad SNI hint (host mismatch) (Expected 0-255, got 0)
HTTP/1.1 200 OK
Date: Fri, 03 Mar 2017 21:35:43 GMT
Server: Apache/2.4.25 (Red Hat) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.5.21 mod_wsgi/4.5.13 Python/2.7 mod_perl/2.0.9dev Perl/v5.20.1
Last-Modified: Fri, 03 Mar 2017 21:35:38 GMT
ETag: "d-549da53aa964b"
Accept-Ranges: bytes
Content-Length: 13
Connection: close
Content-Type: text/html; charset=UTF-8

docroot-beta
:: [   FAIL   ] :: File 'output' should contain '400 Bad Request' 
:: [  BEGIN   ] :: Running 'rm /opt/rh/httpd24/root/etc/httpd/conf.d/rhtsbz714-beta.conf'

Expected results:
The test should pass


Additional info:
Comment 1 Joe Orton 2017-03-31 12:24:39 UTC 
The behaviour here now matches upstream; in 2.4.18 we had slightly different (more strict) behaviour in some cases when an SNI hint was required.  This should be documented int the release notes, but otherwise no change is required.