Bug 1638759

Summary: Unknown host or mismatch requests should return 400
Product: Red Hat Software Collections Reporter: Branislav Náter <bnater>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED WONTFIX QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact: Lenka Špačková <lkuprova>
Priority: unspecified    
Version: httpd24CC: jhouska, jorton, luhliari, qe-baseos-apps
Target Milestone: beta   
Target Release: 2.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
The handling of TLS Server Name Indication (SNI) hints in the Apache HTTP Server has changed. * If the SNI hint given in the TLS handshake does not match the Host: header in the HTTP request, an HTTP 421 Misdirected Request error response is now sent by the server instead of the previous 400 Bad Request error response. * If the SNI hint does not match the server name of a configured VirtualHost, the usual VirtualHost matching rules are now followed, that is, matching the first configured host. Previously, a 400 Bad Request error response was sent.
 Story Points: ---
Clone Of: 1434053 Environment:
Last Closed: 2018-11-07 11:28:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1434053    
Bug Blocks:    

Description Branislav Náter 2018-10-12 12:01:04 UTC 
Test works on httpd24-httpd-2.4.27-8.el7.1 and throws following error on httpd24-httpd-2.4.34-3.el7

Previously reported bugs: BZ#1199040, BZ#1434053.
I this another change of upstream behavior?

<snip>
========================
Content of output file:
------------------------
HTTP/1.1 421 Misdirected Request
Date: Wed, 03 Oct 2018 22:53:45 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 mod_wsgi/4.5.18 Python/3.6 PHP/7.1.8 mod_perl/2.0.10 Perl/v5.26.1
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>421 Misdirected Request</title>
</head><body>
<h1>Misdirected Request</h1>
<p>The client needs a new connection for this
request as the requested host name does not match
the Server Name Indication (SNI) in use for this
connection.</p>
</body></html>
========================
:: [ 00:53:45 ] :: [   FAIL   ] :: File 'output' should contain 'docroot-beta' 
:: [ 00:53:45 ] :: [   FAIL   ] :: File 'output' should contain '200 OK' 
<snip>
========================
Content of output file:
------------------------
HTTP/1.1 421 Misdirected Request
Date: Wed, 03 Oct 2018 22:53:45 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 mod_wsgi/4.5.18 Python/3.6 PHP/7.1.8 mod_perl/2.0.10 Perl/v5.26.1
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>421 Misdirected Request</title>
</head><body>
<h1>Misdirected Request</h1>
<p>The client needs a new connection for this
request as the requested host name does not match
the Server Name Indication (SNI) in use for this
connection.</p>
</body></html>
========================
:: [ 00:53:46 ] :: [   FAIL   ] :: File 'output' should contain 'HTTP/1.1 200 OK' 
<snip>


Full output (old package): http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2018/10/28675/2867594/5813601/80822645/TESTOUT.log
Full output (new package): http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2018/10/28676/2867624/5813632/80823798/TESTOUT.log

+++ This bug was initially created as a clone of Bug #1434053 +++

Description of problem:
There was a regression found.  The httpd24 collection response incorrectly if   there is unknown host  and/or host mismatch in requests. The "400 Bad Request" is expected except we get "200 OK".  

Version:
httpd24-httpd-2.4.25-8.el7.x86_64  and 
httpd24-httpd-2.4.25-8.el6.x86_64 


How reproducible:
always

Steps to Reproduce:
1.run linked test (/CoreOS/httpd/Regression/bz714704-disable-SNI-if-not-required-by-configuration)
2.
3.

Actual results:
:: [   PASS   ] :: Trigger 400 with bad SNI hint (unknown host) (Expected 0-255, got 0)
HTTP/1.1 200 OK
Date: Fri, 03 Mar 2017 21:35:42 GMT
Server: Apache/2.4.25 (Red Hat) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.5.21 mod_wsgi/4.5.13 Python/2.7 mod_perl/2.0.9dev Perl/v5.20.1
Last-Modified: Fri, 03 Mar 2017 21:35:38 GMT
ETag: "e-549da53a5c3eb"
Accept-Ranges: bytes
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8

docroot-alpha
:: [   FAIL   ] :: File 'output' should contain '400 Bad Request' 
:: [  BEGIN   ] :: Trigger 400 with bad SNI hint (host mismatch) :: actually running './client alpha.test:443 beta.test alpha.test /beta.html > output'
writing GET /beta.html HTTP/1.0
Host: beta.test


:: [   PASS   ] :: Trigger 400 with bad SNI hint (host mismatch) (Expected 0-255, got 0)
HTTP/1.1 200 OK
Date: Fri, 03 Mar 2017 21:35:43 GMT
Server: Apache/2.4.25 (Red Hat) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.5.21 mod_wsgi/4.5.13 Python/2.7 mod_perl/2.0.9dev Perl/v5.20.1
Last-Modified: Fri, 03 Mar 2017 21:35:38 GMT
ETag: "d-549da53aa964b"
Accept-Ranges: bytes
Content-Length: 13
Connection: close
Content-Type: text/html; charset=UTF-8

docroot-beta
:: [   FAIL   ] :: File 'output' should contain '400 Bad Request' 
:: [  BEGIN   ] :: Running 'rm /opt/rh/httpd24/root/etc/httpd/conf.d/rhtsbz714-beta.conf'

Expected results:
The test should pass


Additional info:

--- Additional comment from Joe Orton on 2017-03-31 08:24:39 EDT ---

The behaviour here now matches upstream; in 2.4.18 we had slightly different (more strict) behaviour in some cases when an SNI hint was required.  This should be documented int the release notes, but otherwise no change is required.