From: Jim Jagielski <jim@apache.org>
Date: Thu, 11 Feb 2016 19:03:54 +0000 (+0000)
Subject: Merge r1725940 from trunk:
X-Git-Tag: 2.4.19~205
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9f9326bb9285bacfcb70d69b2f4ac92fcfa5198d;p=apache

Merge r1725940 from trunk:

handling TIMEUP on SSL inputs by allowing later retries
Submitted by: icing
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1729874 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index e7dd9081c4..68950ad537 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,10 @@
 
 Changes with Apache 2.4.19
 
+  *) mod_ssl: handle TIMEOUT on empty SSL input as non-fatal, returning 
+     APR_TIMEUP and preserving connection state for later retry.
+     [Stefan Eissing]
+     
   *) mod_ssl: Save some TLS record (application data) fragmentations by
      including the last and subsequent suitable buckets when coalescing.
      [Yann Ylavic]
diff --git a/STATUS b/STATUS
index 7283baa950..b69018fa8e 100644
--- a/STATUS
+++ b/STATUS
@@ -112,11 +112,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: handle APR_TIMEUP on empty input by keeping connection state valid
-              for later retries.
-     trunk patch:  http://svn.apache.org/r1725940
-     +1: icing, jim, ylavic
-
   *) core: Prevent a server crash in case of an invalid CONNECT request with
      a custom error page for status code 400 that uses server side includes.
      PR 58929
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 5a5a538161..ab2c933d87 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -489,6 +489,12 @@ static int bio_filter_in_read(BIO *bio, char *in, int inlen)
             return -1;
         }
 
+        if (block == APR_BLOCK_READ 
+            && APR_STATUS_IS_TIMEUP(inctx->rc)
+            && APR_BRIGADE_EMPTY(inctx->bb)) {
+            /* don't give up, just return the timeout */
+            return -1;
+        }
         if (inctx->rc != APR_SUCCESS) {
             /* Unexpected errors discard the brigade */
             apr_brigade_cleanup(inctx->bb);
@@ -670,6 +676,10 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
                     }
                     continue;  /* Blocking and nothing yet?  Try again. */
                 }
+                else if (APR_STATUS_IS_TIMEUP(inctx->rc)) {
+                    /* just return it, the calling layer might be fine with it,
+                       and we do not want to bloat the log. */
+                }
                 else {
                     ap_log_cerror(APLOG_MARK, APLOG_INFO, inctx->rc, c, APLOGNO(01991)
                                   "SSL input filter read failed.");