* mod_ssl: Fix renegotiation failures redirected to an ErrorDocument. PR 57334.

When this occurs, the redirect (internal) request reaches ssl_hook_Access()
and make SSL_do_handshake crash probably because we force the renegotiation
based on an incomplete SSL state.

To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given
SSL connection is not in a valid (handshaken) state.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1644498 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 3c16fb59adc2a8ed0acc4b741f258c96b75bd2c4..fbb5c16b5ab75339319a0527647e9972f434edfd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.0
   
+  *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
+     PR 57334.  [Yann Ylavic].
+
   *) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts. 
      PR 57328.  [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].
 

diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 3c255708dea05e8264131c71874b239cf37c146e..5dec5cc891fe32adadb5d3bab5624fa5628ec72f 100644 (file)
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -81,7 +81,8 @@ static apr_status_t upgrade_connection(request_rec *r)
 
     if (SSL_get_state(ssl) != SSL_ST_OK) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
-                      "TLS upgrade handshake failed: not accepted by client!?");
+                      "TLS upgrade handshake failed");
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
 
         return APR_ECONNABORTED;
     }
@@ -315,6 +316,16 @@ int ssl_hook_Access(request_rec *r)
     int depth, verify_old, verify, n;
 
     if (ssl) {
+        /*
+         * We should have handshaken here (on handshakeserver),
+         * otherwise we are being redirected (ErrorDocument) from
+         * a renegotiation failure below. The access is still 
+         * forbidden in the latter case, let ap_die() handle
+         * this recursive (same) error.
+         */
+        if (SSL_get_state(ssl) != SSL_ST_OK) {
+            return HTTP_FORBIDDEN;
+        }
         ctx = SSL_get_SSL_CTX(ssl);
     }
 
@@ -829,8 +840,8 @@ int ssl_hook_Access(request_rec *r)
 
             if (SSL_get_state(ssl) != SSL_ST_OK) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
-                              "Re-negotiation handshake failed: "
-                              "Not accepted by client!?");
+                              "Re-negotiation handshake failed");
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
 
                 r->connection->keepalive = AP_CONN_CLOSE;
                 return HTTP_FORBIDDEN;