Provide separate SSL_CT_*_STATUS variables for client vs. proxy

connections, courtesy of a new flag passed from mod_ssl on its
pre_connection "optional hook."

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1661487 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/mod/mod_ssl_ct.xml b/docs/manual/mod/mod_ssl_ct.xml
index 50794e3df890906addc4fa790d0f0c84e5f8a7c6..cfc4b7325a91dc55573f058bb1195d3fe1690c44 100644 (file)
--- a/docs/manual/mod/mod_ssl_ct.xml
+++ b/docs/manual/mod/mod_ssl_ct.xml
@@ -217,10 +217,11 @@ testing.</p>
 <section id="logging">
   <title>Logging CT status in the access log</title>
 
-  <p>Both proxy and server modes set the <code>SSL_CT_PEER_STATUS</code>
-  variable to indicate if the peer is CT-aware.</p>
+  <p>Proxy and server modes set the <code>SSL_CT_PROXY_STATUS</code> and
+  <code>SSL_CT_CLIENT_STATUS</code> variables, respectively, to indicate
+  if the corresponding peer is CT-aware.</p>
 
-  <p>Proxy mode sets the <code>SSL_PROXY_SCT_SOURCES</code> variable to
+  <p>Proxy mode sets the <code>SSL_CT_PROXY_SCT_SOURCES</code> variable to
   indicate whether and where SCTs were obtained (ServerHello, certificate
   extension, etc.).</p>
 

diff --git a/include/ap_mmn.h b/include/ap_mmn.h
index f92e106d3b7c114d9420b08c14fb4c817832c299..d410c88f8c8d5814f5a28f9d990cad88f9f8c05e 100644 (file)
--- a/include/ap_mmn.h
+++ b/include/ap_mmn.h
@@ -479,6 +479,7 @@
  * 20150121.0 (2.5.0-dev)  Revert field addition from core_dir_config; r1653666
  * 20150121.1 (2.5.0-dev)  Add cmd_parms_struct.parent to http_config.h
  * 20150121.2 (2.5.0-dev)  Add response_code_exprs to http_core.h
+ * 20150222.0 (2.5.0-dev)  ssl pre_handshake hook now indicates proxy|client
  */
 
 #define MODULE_MAGIC_COOKIE 0x41503235UL /* "AP25" */

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index c4f9e90b19bf8b2fad20a99ba7de39fce560780d..afd051a582083ee4aa01eefed2ea26985a88f89f 100644 (file)
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -39,8 +39,8 @@ int ssl_running_on_valgrind = 0;
 #endif
 
 APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, pre_handshake,
-                                    (conn_rec *c,SSL *ssl),
-                                    (c,ssl), OK, DECLINED);
+                                    (conn_rec *c,SSL *ssl,int is_proxy),
+                                    (c,ssl,is_proxy), OK, DECLINED);
 
 /*
  *  the table of configuration directives we provide
@@ -512,7 +512,7 @@ int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
         return DECLINED; /* XXX */
     }
 
-    rc = ssl_run_pre_handshake(c, ssl);
+    rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
     if (rc != OK && rc != DECLINED) {
         return rc;
     }

diff --git a/modules/ssl/mod_ssl_ct.c b/modules/ssl/mod_ssl_ct.c
index 8b5f318435fb1ff08c958d7c14304ada8d36c3dd..4e721256801fe534b124cba89eee5f30601cc733 100644 (file)
--- a/modules/ssl/mod_ssl_ct.c
+++ b/modules/ssl/mod_ssl_ct.c
@@ -89,11 +89,12 @@
 #define DOTEXE ""
 #endif
 
-#define STATUS_VAR                "SSL_CT_PEER_STATUS"
+#define CLIENT_STATUS_VAR         "SSL_CT_CLIENT_STATUS"
+#define PROXY_STATUS_VAR          "SSL_CT_PROXY_STATUS"
 #define STATUS_VAR_AWARE_VAL      "peer-aware"
 #define STATUS_VAR_UNAWARE_VAL    "peer-unaware"
 
-#define PROXY_SCT_SOURCES_VAR     "SSL_PROXY_SCT_SOURCES"
+#define PROXY_SCT_SOURCES_VAR     "SSL_CT_PROXY_SCT_SOURCES"
 
 #define DAEMON_NAME         "SCT maintenance daemon"
 #define DAEMON_THREAD_NAME  DAEMON_NAME " thread"
@@ -129,6 +130,8 @@ typedef struct ct_server_config {
 
 typedef struct ct_conn_config {
     int peer_ct_aware;
+    int client_handshake;
+    int proxy_handshake;
     /* proxy mode only */
     cert_chain *certs;
     int server_cert_has_sct_list;
@@ -2334,8 +2337,17 @@ static void tlsext_cb(SSL *ssl, int client_server, int type,
     }
 }
 
-static int ssl_ct_pre_handshake(conn_rec *c, SSL *ssl)
+static int ssl_ct_pre_handshake(conn_rec *c, SSL *ssl, int is_proxy)
 {
+    ct_conn_config *conncfg = get_conn_config(c);
+
+    if (is_proxy) {
+        conncfg->proxy_handshake = 1;
+    }
+    else {
+        conncfg->client_handshake = 1;
+    }
+
     ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "client connected (pre-handshake)");
 
     SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp); /* UNDOC */
@@ -2403,11 +2415,13 @@ static int ssl_ct_post_read_request(request_rec *r)
     ct_conn_config *conncfg =
       ap_get_module_config(r->connection->conn_config, &ssl_ct_module);
 
-    if (conncfg && conncfg->peer_ct_aware) {
-        apr_table_set(r->subprocess_env, STATUS_VAR, STATUS_VAR_AWARE_VAL);
-    }
-    else {
-        apr_table_set(r->subprocess_env, STATUS_VAR, STATUS_VAR_UNAWARE_VAL);
+    if (conncfg) {
+        if (conncfg->client_handshake) {
+            apr_table_set(r->subprocess_env, CLIENT_STATUS_VAR,
+                          conncfg->peer_ct_aware ?
+                              STATUS_VAR_AWARE_VAL : STATUS_VAR_UNAWARE_VAL);
+        }
+        /* else no SSL on this client connection */
     }
 
     return DECLINED;
@@ -2631,29 +2645,30 @@ static int ssl_ct_detach_backend(request_rec *r,
                       conncfg->serverhello_has_sct_list,
                       conncfg->ocsp_has_sct_list);
 
-        apr_table_set(r->subprocess_env, STATUS_VAR,
-                      conncfg->peer_ct_aware ? STATUS_VAR_AWARE_VAL : STATUS_VAR_UNAWARE_VAL);
-
-        list = apr_pstrcat(r->pool,
-                           conncfg->server_cert_has_sct_list ? "certext," : "",
-                           conncfg->serverhello_has_sct_list ? "tlsext," : "",
-                           conncfg->ocsp_has_sct_list ? "ocsp" : "",
-                           NULL);
-        if (*list) {
-            last = list + strlen(list) - 1;
-            if (*last == ',') {
-                *last = '\0';
+        if (conncfg->proxy_handshake) {
+            apr_table_set(r->subprocess_env, PROXY_STATUS_VAR,
+                          conncfg->peer_ct_aware ?
+                              STATUS_VAR_AWARE_VAL : STATUS_VAR_UNAWARE_VAL);
+
+            list = apr_pstrcat(r->pool,
+                               conncfg->server_cert_has_sct_list ? "certext," : "",
+                               conncfg->serverhello_has_sct_list ? "tlsext," : "",
+                               conncfg->ocsp_has_sct_list ? "ocsp" : "",
+                               NULL);
+            if (*list) {
+                last = list + strlen(list) - 1;
+                if (*last == ',') {
+                    *last = '\0';
+                }
             }
-        }
 
-        apr_table_set(r->subprocess_env, PROXY_SCT_SOURCES_VAR, list);
+            apr_table_set(r->subprocess_env, PROXY_SCT_SOURCES_VAR, list);
+        }
     }
     else {
-        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-                      "No backend connection available in "
-                      "ssl_ct_detach_backend(); assuming peer unaware");
-        apr_table_set(r->subprocess_env, STATUS_VAR,
-                      STATUS_VAR_UNAWARE_VAL);
+        /* why here?  some odd error path? */
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, 
+                      "No backend connection available in ssl_ct_detach_backend()");
     }
 
     return OK;

diff --git a/modules/ssl/mod_ssl_openssl.h b/modules/ssl/mod_ssl_openssl.h
index ecca33c15c428b61e6252314522782e6cc3b9538..0fa654ade564f47ea50ceaa53b9698c7272d760a 100644 (file)
--- a/modules/ssl/mod_ssl_openssl.h
+++ b/modules/ssl/mod_ssl_openssl.h
@@ -55,9 +55,10 @@ APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, init_server,
  * pre_handshake hook
  * @param c conn_rec for new connection from client or to backend server
  * @param ssl OpenSSL SSL Connection for the client or backend server
+ * @param is_proxy 1 if this handshake is for a backend connection, 0 otherwise
  */
 APR_DECLARE_EXTERNAL_HOOK(ssl, SSL, int, pre_handshake,
-                          (conn_rec *c, SSL *ssl))
+                          (conn_rec *c, SSL *ssl, int is_proxy))
 
 /**
  * proxy_post_handshake hook -- allow module to abort after successful