1638759 – Unknown host or mismatch requests should return 400

Bug 1638759 - Unknown host or mismatch requests should return 400

Summary: Unknown host or mismatch requests should return 400

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Software Collections
Classification:	Red Hat
Component:	httpd
Sub Component:
Version:	httpd24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	2.4
Assignee:	Luboš Uhliarik
QA Contact:	BaseOS QE - Apps
Docs Contact:	Lenka Špačková
URL:
Whiteboard:
Depends On:	1434053
Blocks:
TreeView+	depends on / blocked

Reported:	2018-10-12 12:01 UTC by Branislav Náter
Modified:	2018-11-09 09:46 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:	The handling of TLS Server Name Indication (SNI) hints in the Apache HTTP Server has changed. * If the SNI hint given in the TLS handshake does not match the Host: header in the HTTP request, an HTTP 421 Misdirected Request error response is now sent by the server instead of the previous 400 Bad Request error response. * If the SNI hint does not match the server name of a configured VirtualHost, the usual VirtualHost matching rules are now followed, that is, matching the first configured host. Previously, a 400 Bad Request error response was sent.
Clone Of:	1434053
Environment:
Last Closed:	2018-11-07 11:28:42 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Description Branislav Náter 2018-10-12 12:01:04 UTC

Test works on httpd24-httpd-2.4.27-8.el7.1 and throws following error on httpd24-httpd-2.4.34-3.el7

Previously reported bugs: BZ#1199040, BZ#1434053.
I this another change of upstream behavior?

<snip>
========================
Content of output file:
------------------------
HTTP/1.1 421 Misdirected Request
Date: Wed, 03 Oct 2018 22:53:45 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 mod_wsgi/4.5.18 Python/3.6 PHP/7.1.8 mod_perl/2.0.10 Perl/v5.26.1
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>421 Misdirected Request</title>
</head><body>
<h1>Misdirected Request</h1>
<p>The client needs a new connection for this
request as the requested host name does not match
the Server Name Indication (SNI) in use for this
connection.</p>
</body></html>
========================
:: [ 00:53:45 ] :: [   FAIL   ] :: File 'output' should contain 'docroot-beta' 
:: [ 00:53:45 ] :: [   FAIL   ] :: File 'output' should contain '200 OK' 
<snip>
========================
Content of output file:
------------------------
HTTP/1.1 421 Misdirected Request
Date: Wed, 03 Oct 2018 22:53:45 GMT
Server: Apache/2.4.34 (Red Hat) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 mod_wsgi/4.5.18 Python/3.6 PHP/7.1.8 mod_perl/2.0.10 Perl/v5.26.1
Content-Length: 322
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>421 Misdirected Request</title>
</head><body>
<h1>Misdirected Request</h1>
<p>The client needs a new connection for this
request as the requested host name does not match
the Server Name Indication (SNI) in use for this
connection.</p>
</body></html>
========================
:: [ 00:53:46 ] :: [   FAIL   ] :: File 'output' should contain 'HTTP/1.1 200 OK' 
<snip>


Full output (old package): http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2018/10/28675/2867594/5813601/80822645/TESTOUT.log
Full output (new package): http://beaker-archive.host.prod.eng.bos.redhat.com/beaker-logs/2018/10/28676/2867624/5813632/80823798/TESTOUT.log

+++ This bug was initially created as a clone of Bug #1434053 +++

Description of problem:
There was a regression found.  The httpd24 collection response incorrectly if   there is unknown host  and/or host mismatch in requests. The "400 Bad Request" is expected except we get "200 OK".  

Version:
httpd24-httpd-2.4.25-8.el7.x86_64  and 
httpd24-httpd-2.4.25-8.el6.x86_64 


How reproducible:
always

Steps to Reproduce:
1.run linked test (/CoreOS/httpd/Regression/bz714704-disable-SNI-if-not-required-by-configuration)
2.
3.

Actual results:
:: [   PASS   ] :: Trigger 400 with bad SNI hint (unknown host) (Expected 0-255, got 0)
HTTP/1.1 200 OK
Date: Fri, 03 Mar 2017 21:35:42 GMT
Server: Apache/2.4.25 (Red Hat) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.5.21 mod_wsgi/4.5.13 Python/2.7 mod_perl/2.0.9dev Perl/v5.20.1
Last-Modified: Fri, 03 Mar 2017 21:35:38 GMT
ETag: "e-549da53a5c3eb"
Accept-Ranges: bytes
Content-Length: 14
Connection: close
Content-Type: text/html; charset=UTF-8

docroot-alpha
:: [   FAIL   ] :: File 'output' should contain '400 Bad Request' 
:: [  BEGIN   ] :: Trigger 400 with bad SNI hint (host mismatch) :: actually running './client alpha.test:443 beta.test alpha.test /beta.html > output'
writing GET /beta.html HTTP/1.0
Host: beta.test


:: [   PASS   ] :: Trigger 400 with bad SNI hint (host mismatch) (Expected 0-255, got 0)
HTTP/1.1 200 OK
Date: Fri, 03 Mar 2017 21:35:43 GMT
Server: Apache/2.4.25 (Red Hat) OpenSSL/1.0.1e-fips mod_auth_kerb/5.4 PHP/5.5.21 mod_wsgi/4.5.13 Python/2.7 mod_perl/2.0.9dev Perl/v5.20.1
Last-Modified: Fri, 03 Mar 2017 21:35:38 GMT
ETag: "d-549da53aa964b"
Accept-Ranges: bytes
Content-Length: 13
Connection: close
Content-Type: text/html; charset=UTF-8

docroot-beta
:: [   FAIL   ] :: File 'output' should contain '400 Bad Request' 
:: [  BEGIN   ] :: Running 'rm /opt/rh/httpd24/root/etc/httpd/conf.d/rhtsbz714-beta.conf'

Expected results:
The test should pass


Additional info:

--- Additional comment from Joe Orton on 2017-03-31 08:24:39 EDT ---

The behaviour here now matches upstream; in 2.4.18 we had slightly different (more strict) behaviour in some cases when an SNI hint was required.  This should be documented int the release notes, but otherwise no change is required.

Note You need to log in before you can comment on or make changes to this bug.