Add Host HTTP header to MS-KKDCP requests

Some webservers require a Host HTTP header for TLS connections with SNI (server name indicator). For example Apache HTTPD with a recent version of mod_nss aborts HTTPS requests without Host header with response '400 Bad Request' and error message: Hostname example.org provided via SNI, but no hostname provided in HTTP request The HTTP Host header is also required for virtual hosts. TLS SNI support was added in 4b6045a. https://bugzilla.redhat.com/show_bug.cgi?id=1364993 Signed-off-by: Christian Heimes <cheimes@redhat.com>
krb5 · Aug 8, 2016 · 395e494 · 395e494
1 parent eb8dc86
commit 395e494
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
@@ -138,6 +138,7 @@ struct conn_state {
     struct {
         const char *uri_path;
         const char *servername;
+        const char *port;
         char *https_request;
         k5_tls_handle tls;
     } http;
@@ -611,6 +612,8 @@ make_proxy_request(struct conn_state *state, const krb5_data *realm,
     k5_buf_init_dynamic(&buf);
     uri_path = (state->http.uri_path != NULL) ? state->http.uri_path : "";
     k5_buf_add_fmt(&buf, "POST /%s HTTP/1.0\r\n", uri_path);
+    k5_buf_add_fmt(&buf, "Host: %s:%s\r\n", state->http.servername,
+                   state->http.port);
     k5_buf_add(&buf, "Cache-Control: no-cache\r\n");
     k5_buf_add(&buf, "Pragma: no-cache\r\n");
     k5_buf_add(&buf, "User-Agent: kerberos/1.0\r\n");
@@ -673,7 +676,7 @@ static krb5_error_code
 add_connection(struct conn_state **conns, k5_transport transport,
                krb5_boolean defer, struct addrinfo *ai, size_t server_index,
                const krb5_data *realm, const char *hostname,
-               const char *uri_path, char **udpbufp)
+               const char *port, const char *uri_path, char **udpbufp)
 {
     struct conn_state *state, **tailptr;
 
@@ -700,6 +703,7 @@ add_connection(struct conn_state **conns, k5_transport transport,
         state->service_read = service_https_read;
         state->http.uri_path = uri_path;
         state->http.servername = hostname;
+        state->http.port = port;
     } else {
         state->service_connect = NULL;
         state->service_write = NULL;
@@ -800,7 +804,7 @@ resolve_server(krb5_context context, const krb5_data *realm,
         ai.ai_addr = (struct sockaddr *)&entry->addr;
         defer = (entry->transport != transport);
         return add_connection(conns, entry->transport, defer, &ai, ind, realm,
-                              NULL, entry->uri_path, udpbufp);
+                              NULL, NULL, entry->uri_path, udpbufp);
     }
 
     /* If the entry has a specified transport, use it. */
@@ -826,7 +830,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
     retval = 0;
     for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
         retval = add_connection(conns, transport, FALSE, a, ind, realm,
-                                entry->hostname, entry->uri_path, udpbufp);
+                                entry->hostname, portbuf, entry->uri_path,
+                                udpbufp);
     }
 
     /* For TCP_OR_UDP entries, add each address again with the non-preferred
@@ -836,7 +841,8 @@ resolve_server(krb5_context context, const krb5_data *realm,
         for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
             a->ai_socktype = socktype_for_transport(transport);
             retval = add_connection(conns, transport, TRUE, a, ind, realm,
-                                    entry->hostname, entry->uri_path, udpbufp);
+                                    entry->hostname, portbuf,
+                                    entry->uri_path, udpbufp);
         }
     }
     freeaddrinfo(addrs);