From: Yann Ylavic Date: Wed, 10 Dec 2014 18:06:55 +0000 (+0000) Subject: * mod_ssl: Fix renegotiation failures redirected to an ErrorDocument. PR 57334. X-Git-Tag: 2.5.0-alpha~3614 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d35b8319c0607bc82051f1aad4293e63aadd4531;p=apache * mod_ssl: Fix renegotiation failures redirected to an ErrorDocument. PR 57334. When this occurs, the redirect (internal) request reaches ssl_hook_Access() and make SSL_do_handshake crash probably because we force the renegotiation based on an incomplete SSL state. To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given SSL connection is not in a valid (handshaken) state. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1644498 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 3c16fb59ad..fbb5c16b5a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument. + PR 57334. [Yann Ylavic]. + *) core: Fix -D[efined] or [d] variables lifetime accross restarts. PR 57328. [Armin Abfalterer , Yann Ylavic]. diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 3c255708de..5dec5cc891 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -81,7 +81,8 @@ static apr_status_t upgrade_connection(request_rec *r) if (SSL_get_state(ssl) != SSL_ST_OK) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) - "TLS upgrade handshake failed: not accepted by client!?"); + "TLS upgrade handshake failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); return APR_ECONNABORTED; } @@ -315,6 +316,16 @@ int ssl_hook_Access(request_rec *r) int depth, verify_old, verify, n; if (ssl) { + /* + * We should have handshaken here (on handshakeserver), + * otherwise we are being redirected (ErrorDocument) from + * a renegotiation failure below. The access is still + * forbidden in the latter case, let ap_die() handle + * this recursive (same) error. + */ + if (SSL_get_state(ssl) != SSL_ST_OK) { + return HTTP_FORBIDDEN; + } ctx = SSL_get_SSL_CTX(ssl); } @@ -829,8 +840,8 @@ int ssl_hook_Access(request_rec *r) if (SSL_get_state(ssl) != SSL_ST_OK) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) - "Re-negotiation handshake failed: " - "Not accepted by client!?"); + "Re-negotiation handshake failed"); + ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); r->connection->keepalive = AP_CONN_CLOSE; return HTTP_FORBIDDEN;