Merge r1828390 from trunk:

mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections.

Regression introduced in 2.4.30. PR 62232.

The proxy SSL_CTX was not inherited from the vhost (the only available in
2.4.29) in/for any directory context besides <Proxy>...

Mostly debugged and fixed by Rainer, thanks!

Submitted by: ylavic
Reviewed by: ylavic, rpluem, jim

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1828735 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 3927f86c0b54964e26bc068f97ce52bb469f3759..fa23ab5640b951240ce4dda7ee73853cf3ffae21 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.34
 
+  *) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
+     regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]
+
   *) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
      [Eric Covener]
 
@@ -160,7 +163,7 @@ Changes with Apache 2.4.30 (not released)
      implementing the Let's Encrypt ACMEv1 protocol to signup and renew 
      certificates. Please read the modules documentation for further instructions
      on how to use it. [Stefan Eissing]
-  
+
   *) mod_proxy_html: skip documents shorter than 4 bytes
      PR 56286 [Micha Lenk <micha lenk info>]
 

diff --git a/STATUS b/STATUS
index ea3c47c230a63322b3170658d3930d3fc37ab200..45af76910f26106c7ad536c79a66c448d717cfb8 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -118,11 +118,6 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
-  *) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
-     regression introduced in 2.4.30. PR 62232.
-     trunk patch: http://svn.apache.org/r1828390
-     2.4.x patch: svn merge -c 1828390 ^/httpd/httpd/trunk .
-     +1: ylavic, rpluem, jim
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]

diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index 104d84a141d1d314e91c067f70f30c5bcccf1307..e5fd90165884b0089c7069294dd98c0644b75169 100644 (file)
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -499,13 +499,21 @@ void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)
     cfgMergeInt(nRenegBufferSize);
 
     mrg->proxy_post_config = add->proxy_post_config;
-    if (!add->proxy_post_config) {
+    if (!mrg->proxy_post_config) {
         cfgMergeBool(proxy_enabled);
         modssl_ctx_init_proxy(mrg, p);
         modssl_ctx_cfg_merge_proxy(p, base->proxy, add->proxy, mrg->proxy);
+
+        /* Since ssl_proxy_section_post_config() hook won't be called if there
+         * is no SSLProxy* in this dir config, the ssl_ctx may still be NULL
+         * here at runtime. Merging it is either a no-op (NULL => NULL) because
+         * we are still before post config, or we really want to reuse the one
+         * from the upper/server context (outside of <Proxy> sections).
+         */
+        cfgMerge(proxy->ssl_ctx, NULL);
     }
     else {
-        /* post_config hook has already merged and initialized the
+        /* The post_config hook has already merged and initialized the
          * proxy context, use it.
          */
         mrg->proxy_enabled = add->proxy_enabled;