From 28019d9d1fdaff3a5827ed3dac1472a93f7c77ff Mon Sep 17 00:00:00 2001
From: Jim Jagielski <jim@apache.org>
Date: Thu, 11 Feb 2016 19:03:04 +0000
Subject: [PATCH] Merge r1717816 from trunk:

Fix missing Upgrade headers on OPTION * requests, PR58688
Submitted by: wrowe
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1729873 13f79535-47bb-0310-9956-ffa450edef68
---
 STATUS                          |  9 ---------
 modules/ssl/ssl_engine_kernel.c | 20 +++++++++++---------
 2 files changed, 11 insertions(+), 18 deletions(-)

diff --git a/STATUS b/STATUS
index b5f46038d6..7283baa950 100644
--- a/STATUS
+++ b/STATUS
@@ -112,15 +112,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) mod_ssl: Fix missing TLS Upgrade/Connection headers on OPTIONS * requests
-     (Note that this is simply a necessary band-aid, and still won't allow h2c
-     to peacefully coexist with tls/n.n upgrades, because Upgrade phase needs
-     to come earlier, not as a handler, and the bogus connection-close behavior
-     must be removed before the Protocol API can handle TLS upgrade.)
-     PR58688
-     trunk patch: http://svn.apache.org/r1717816
-     +1: wrowe, icing, ylavic
-
   *) mod_ssl: handle APR_TIMEUP on empty input by keeping connection state valid
               for later retries.
      trunk patch:  http://svn.apache.org/r1725940
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 5a59dcc836..381f3e016c 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -246,6 +246,17 @@ int ssl_hook_ReadReq(request_rec *r)
         sslconn = myConnConfig(r->connection->master);
     }
     
+    /* If "SSLEngine optional" is configured, this is not an SSL
+     * connection, and this isn't a subrequest, send an Upgrade
+     * response header.  Note this must happen before map_to_storage
+     * and OPTIONS * request processing is completed.
+     */
+    if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl)
+        && !r->main) {
+        apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
+        apr_table_mergen(r->headers_out, "Connection", "upgrade");
+    }
+
     if (!sslconn) {
         return DECLINED;
     }
@@ -1318,15 +1329,6 @@ int ssl_hook_Fixup(request_rec *r)
     SSL *ssl;
     int i;
 
-    /* If "SSLEngine optional" is configured, this is not an SSL
-     * connection, and this isn't a subrequest, send an Upgrade
-     * response header. */
-    if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl)
-        && !r->main) {
-        apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
-        apr_table_mergen(r->headers_out, "Connection", "upgrade");
-    }
-
     if (!(sslconn && sslconn->ssl) && r->connection->master) {
         sslconn = myConnConfig(r->connection->master);
     }
-- 
2.40.0