Bug 1434053 - Unknown host or mismatch requests should return 400
Summary: Unknown host or mismatch requests should return 400
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Software Collections
Classification: Red Hat
Component: httpd
Version: httpd24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: 2.4
Assignee: Luboš Uhliarik
QA Contact: BaseOS QE - Apps
URL:
Whiteboard:
Depends On:
Blocks: 1638759
TreeView+ depends on / blocked
 
Reported: 2017-03-20 15:58 UTC by Jan Houska
Modified: 2018-10-12 12:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Deprecated Functionality
Doc Text:
Previously, in an SSL/TLS configuration requiring name-based SSL virtual host selection, mod_ssl would reject requests with a "400 Bad Request" error, if the hostname provided in the "Host:" header did match the hostname provided in a Server Name Indication (SNI) header. Such requests are no longer rejected if the configured SSL/TLS security parameters are identical between the selected virtual hosts, in-line with the behaviour of upstream mod_ssl.
Clone Of:
: 1638759 (view as bug list)
Environment:
Last Closed: 2017-03-31 12:24:39 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jan Houska 2017-03-20 15:58:08 UTC
Description of problem:
There was a regression found.  The httpd24 collection response incorrectly if   there is unknown host  and/or host mismatch in requests. The "400 Bad Request" is expected except we get "200 OK".  

Version:
httpd24-httpd-2.4.25-8.el7.x86_64  and 
httpd24-httpd-2.4.25-8.el6.x86_64 


How reproducible:
always

Steps to Reproduce:
1.run linked test (/CoreOS/httpd/Regression/bz714704-disable-SNI-if-not-required-by-configuration)
2.
3.

Actual results:
:: [   PASS   ] :: Trigger 400 with bad SNI hint (unknown host) (Expected 0-255, got 0)
HTTP/1.1 200 OK
Date: Fri, 03 Mar 2017 21:35:42 GMT
Server: Apache/2.4.25 (Red Hat) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.5.21 mod_wsgi/4.5.13 Python/2.7 mod_perl/2.0.9dev Perl/v5.20.1
Last-Modified: Fri, 03 Mar 2017 21:35:38 GMT
ETag: "e-549da53a5c3eb"
Accept-Ranges: bytes
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8

docroot-alpha
:: [   FAIL   ] :: File 'output' should contain '400 Bad Request' 
:: [  BEGIN   ] :: Trigger 400 with bad SNI hint (host mismatch) :: actually running './client alpha.test:443 beta.test alpha.test /beta.html > output'
writing GET /beta.html HTTP/1.0
Host: beta.test


:: [   PASS   ] :: Trigger 400 with bad SNI hint (host mismatch) (Expected 0-255, got 0)
HTTP/1.1 200 OK
Date: Fri, 03 Mar 2017 21:35:43 GMT
Server: Apache/2.4.25 (Red Hat) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.5.21 mod_wsgi/4.5.13 Python/2.7 mod_perl/2.0.9dev Perl/v5.20.1
Last-Modified: Fri, 03 Mar 2017 21:35:38 GMT
ETag: "d-549da53aa964b"
Accept-Ranges: bytes
Content-Length: 13
Connection: close
Content-Type: text/html; charset=UTF-8

docroot-beta
:: [   FAIL   ] :: File 'output' should contain '400 Bad Request' 
:: [  BEGIN   ] :: Running 'rm /opt/rh/httpd24/root/etc/httpd/conf.d/rhtsbz714-beta.conf'

Expected results:
The test should pass


Additional info:

Comment 1 Joe Orton 2017-03-31 12:24:39 UTC
The behaviour here now matches upstream; in 2.4.18 we had slightly different (more strict) behaviour in some cases when an SNI hint was required.  This should be documented int the release notes, but otherwise no change is required.


Note You need to log in before you can comment on or make changes to this bug.