From: Yann Ylavic Date: Wed, 18 Nov 2015 17:15:24 +0000 (+0000) Subject: mod_ssl: follow up to r1709602. X-Git-Tag: 2.5.0-alpha~2638 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b7693e59415203a748469b5b5d3e4074753c9661;p=apache mod_ssl: follow up to r1709602. Fix "HTTP spoken on HTTPS port" broken by the SSL handshake trigger moved to process_connection hook (r1709602) along with H2Direct speculative read. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1715023 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 1248ba6fcb..65d9cfe5fd 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -917,7 +917,8 @@ static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f) static apr_status_t ssl_io_filter_error(ap_filter_t *f, apr_bucket_brigade *bb, - apr_status_t status) + apr_status_t status, + int is_init) { SSLConnRec *sslconn = myConnConfig(f->c); apr_bucket *bucket; @@ -931,8 +932,13 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, "trying to send HTML error page"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server); - sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP; ssl_io_filter_disable(sslconn, f); + f->c->keepalive = AP_CONN_CLOSE; + if (is_init) { + sslconn->non_ssl_request = NON_SSL_SEND_REQLINE; + return APR_EGENERAL; + } + sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP; /* fake the request line */ bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); @@ -1401,11 +1407,22 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, } if (!inctx->ssl) { + apr_bucket *bucket; SSLConnRec *sslconn = myConnConfig(f->c); + if (sslconn->non_ssl_request == NON_SSL_SEND_REQLINE) { + bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bb, bucket); + if (mode != AP_MODE_SPECULATIVE) { + sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP; + } + return APR_SUCCESS; + } if (sslconn->non_ssl_request == NON_SSL_SEND_HDR_SEP) { - apr_bucket *bucket = apr_bucket_immortal_create(CRLF, 2, f->c->bucket_alloc); + bucket = apr_bucket_immortal_create(CRLF, 2, f->c->bucket_alloc); APR_BRIGADE_INSERT_TAIL(bb, bucket); - sslconn->non_ssl_request = NON_SSL_SET_ERROR_MSG; + if (mode != AP_MODE_SPECULATIVE) { + sslconn->non_ssl_request = NON_SSL_SET_ERROR_MSG; + } return APR_SUCCESS; } return ap_get_brigade(f->next, bb, mode, block, readbytes); @@ -1426,7 +1443,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, * rather than have SSLEngine On configured. */ if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); + return ssl_io_filter_error(f, bb, status, is_init); } if (is_init) { @@ -1480,7 +1497,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, /* Handle custom errors. */ if (status != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); + return ssl_io_filter_error(f, bb, status, 0); } /* Create a transient bucket out of the decrypted data. */ @@ -1670,7 +1687,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, inctx->block = APR_BLOCK_READ; if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); + return ssl_io_filter_error(f, bb, status, 0); } while (!APR_BRIGADE_EMPTY(bb) && status == APR_SUCCESS) { diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index 422bc5fd53..c217dc3684 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -432,6 +432,7 @@ typedef struct { int disabled; enum { NON_SSL_OK = 0, /* is SSL request, or error handling completed */ + NON_SSL_SEND_REQLINE, /* Need to send the fake request line */ NON_SSL_SEND_HDR_SEP, /* Need to send the header separator */ NON_SSL_SET_ERROR_MSG /* Need to set the error message */ } non_ssl_request;