From aadb6021c55671a302920e4241c7619993af8a14 Mon Sep 17 00:00:00 2001
From: standa <standa@linux-1y8e.site>
Date: Wed, 30 Sep 2015 21:45:38 +0200
Subject: Send SNI extension mod_nss acts as a reverse proxy

---
 nss_engine_io.c | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/nss_engine_io.c b/nss_engine_io.c
index 1360748..b851b31 100644
--- a/nss_engine_io.c
+++ b/nss_engine_io.c
@@ -673,6 +673,37 @@ static apr_status_t nss_io_filter_cleanup(void *data)
     return APR_SUCCESS;
 }
 
+static apr_status_t nss_io_filter_handshake(ap_filter_t *f)
+{
+    conn_rec *c         = f->c;
+    SSLConnRec *sslconn = myConnConfig(c);
+
+    /*
+     * Enable SNI for backend requests. Make sure we don&#39;t do it for
+     * pure SSLv3 connections
+     */
+    if (sslconn->is_proxy) {
+        const char *hostname_note = apr_table_get(c->notes, "proxy-request-hostname");
+        if (hostname_note) {
+            if (SSL_SetURL(sslconn->ssl, hostname_note) == -1) {
+                ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
+                              "Error setting SNI extension for SSL Proxy request: %d",
+                              PR_GetError());
+            } else {
+                ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
+                              "SNI extension for SSL Proxy request set to '%s'",
+                              hostname_note);
+            }
+        }
+        else {
+            ap_log_error(APLOG_MARK, APLOG_INFO, 0, c,
+                              "Can't set SNI extension: no hostname available";
+        }
+    }
+
+    return APR_SUCCESS;
+}
+
 static apr_status_t nss_io_filter_input(ap_filter_t *f,
                                         apr_bucket_brigade *bb,
                                         ap_input_mode_t mode,
@@ -708,6 +739,10 @@ static apr_status_t nss_io_filter_input(ap_filter_t *f,
     inctx->mode = mode;
     inctx->block = block;
 
+    if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
+        return nss_io_filter_error(f, bb, status);
+    }
+
     if (is_init) {
         /* protocol module needs to handshake before sending
          * data to client (e.g. NNTP or FTP)
@@ -829,6 +864,10 @@ static apr_status_t nss_io_filter_output(ap_filter_t *f,
     inctx->mode = AP_MODE_READBYTES;
     inctx->block = APR_BLOCK_READ;
 
+    if ((status = nss_io_filter_handshake(f)) != APR_SUCCESS) {
+        return nss_io_filter_error(f, bb, status);
+    }
+
     while (!APR_BRIGADE_EMPTY(bb)) {
         apr_bucket *bucket = APR_BRIGADE_FIRST(bb);
 
-- 
cgit