* Put a note in the connection notes that the SSL handshake to the backend

  failed such that mod_proxy can put the worker in error state.

PR: 50332
Submitted by: Daniel Ruggeri <DRuggeri primary.net>
Reviewed by: rpluem

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1039304 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 7c0dc7ba05b2bf98f8eede2c5be1c67332b14388..3e6d875abfc4d011816623103b132b128cc2cb46 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,11 @@
-                                                         -*- coding: utf-8 -*-
+                                                         -*- coding: utf-8 -*-
 
 Changes with Apache 2.3.10
 
+  *) mod_proxy: Put the worker in error state if the SSL handshake with the
+     backend fails. PR 50332.
+     [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
+
   *) mod_cache_disk: Fix Windows build which was broken after renaming
      the module. [Gregg L. Smith]
 

diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index 573812474882786fa6f9d0f3135f1c949fc72b19..61d59252ac670586d26a8a810a7632353f62d7fe 100644 (file)
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -1468,6 +1468,12 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
                     return ap_proxyerror(r, HTTP_SERVICE_UNAVAILABLE, "Timeout on 100-Continue");
                 }
             }
+            else if (strcmp(apr_table_get(backend->connection->notes, 
+                                          "SSL_connect_rv"), "err") == 0) {
+                     return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR,
+                                          "Error during SSL Handshake with"
+                                          " remote server");
+            }
             /*
              * If we are a reverse proxy request shutdown the connection
              * WITHOUT ANY response to trigger a retry by the client

diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index e64fd3bc56b5a2f80121f3c0573b84634c4255a4..da64c059538090737c5a9875207d85d75b79440e 100644 (file)
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1091,6 +1091,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
             /* ensure that the SSL structures etc are freed, etc: */
             ssl_filter_io_shutdown(filter_ctx, c, 1);
+            apr_table_set(c->notes, "SSL_connect_rv", "err");
             return MODSSL_ERROR_BAD_GATEWAY;
         }
 
@@ -1108,6 +1109,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
                 }
                 /* ensure that the SSL structures etc are freed, etc: */
                 ssl_filter_io_shutdown(filter_ctx, c, 1);
+                apr_table_set(c->notes, "SSL_connect_rv", "err");
                 return HTTP_BAD_GATEWAY;
             }
             X509_free(cert);
@@ -1127,10 +1129,12 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
                               hostname, hostname_note);
                 /* ensure that the SSL structures etc are freed, etc: */
                 ssl_filter_io_shutdown(filter_ctx, c, 1);
+                apr_table_set(c->notes, "SSL_connect_rv", "err");
                 return HTTP_BAD_GATEWAY;
             }
         }
 
+        apr_table_set(c->notes, "SSL_connect_rv", "ok");
         return APR_SUCCESS;
     }