From 7a221adca5171453e5a88907ed45fc6e1c364ffb Mon Sep 17 00:00:00 2001
From: Ruediger Pluem <rpluem@apache.org>
Date: Fri, 7 Oct 2005 21:05:01 +0000
Subject: [PATCH] * Fix PR36883 (mod_proxy_ajp and tomcat issues).

Submitted by: William Barker <william.barker wilshire.com>
Reviewed by: Ruediger Pluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@307195 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES                    |  4 ++
 modules/proxy/ajp_header.c | 89 ++++++++++++++++++++------------------
 2 files changed, 52 insertions(+), 41 deletions(-)

diff --git a/CHANGES b/CHANGES
index 457a4fb06b..cc6e505033 100644
--- a/CHANGES
+++ b/CHANGES
@@ -24,6 +24,10 @@ Changes with Apache 2.3.0
 
 Changes with Apache 2.1.9
 
+  *) mod_proxy_ajp: mod_proxy_ajp sends empty SSL attributes for non SSL
+     connections. PR36883.
+     [William Barker <william.barker wilshire.com>, Ruediger Pluem]
+
   *) Elimiated the NET_TIME filter, restructuring the timeout logic.
      This provides a working mod_echo on all platforms, and ensures any
      custom protocol module is at least given an initial timeout value
diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
index 1d71994497..03b8f4d0a6 100644
--- a/modules/proxy/ajp_header.c
+++ b/modules/proxy/ajp_header.c
@@ -341,55 +341,62 @@ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,
  *   SetEnv SSL_SESSION_ID CUSTOM_SSL_SESSION_ID
  * </Location>
  */
-    if ((envvar = ap_proxy_ssl_val(r->pool, r->server, r->connection, r,
-                                AJP13_SSL_CLIENT_CERT_INDICATOR))) {
-        if (ajp_msg_append_uint8(msg, SC_A_SSL_CERT) ||
-            ajp_msg_append_string(msg, envvar)) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-                   "ajp_marshal_into_msgb: "
-                   "Error appending the SSL certificates");
-            return AJP_EOVERFLOW;
+    /*
+     * Only lookup SSL variables if we are currently running HTTPS.
+     * Furthermore ensure that only variables get set in the AJP message
+     * that are not NULL and not empty.
+     */
+    if (is_ssl) {
+        if ((envvar = ap_proxy_ssl_val(r->pool, r->server, r->connection, r,
+                                       AJP13_SSL_CLIENT_CERT_INDICATOR))
+            && envvar[0]) {
+            if (ajp_msg_append_uint8(msg, SC_A_SSL_CERT)
+                || ajp_msg_append_string(msg, envvar)) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                             "ajp_marshal_into_msgb: "
+                             "Error appending the SSL certificates");
+                return AJP_EOVERFLOW;
+            }
         }
-    }
 
-    if ((envvar = ap_proxy_ssl_val(r->pool, r->server, r->connection, r,
-                                AJP13_SSL_CIPHER_INDICATOR))) {
-        if (ajp_msg_append_uint8(msg, SC_A_SSL_CIPHER) ||
-            ajp_msg_append_string(msg, envvar)) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-                   "ajp_marshal_into_msgb: "
-                   "Error appending the SSL ciphers");
-            return AJP_EOVERFLOW;
+        if ((envvar = ap_proxy_ssl_val(r->pool, r->server, r->connection, r,
+                                       AJP13_SSL_CIPHER_INDICATOR))
+            && envvar[0]) {
+            if (ajp_msg_append_uint8(msg, SC_A_SSL_CIPHER)
+                || ajp_msg_append_string(msg, envvar)) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                             "ajp_marshal_into_msgb: "
+                             "Error appending the SSL ciphers");
+                return AJP_EOVERFLOW;
+            }
         }
-    }
 
-    if ((envvar = ap_proxy_ssl_val(r->pool, r->server, r->connection, r,
-                                AJP13_SSL_SESSION_INDICATOR))) {
-        if (ajp_msg_append_uint8(msg, SC_A_SSL_SESSION) ||
-            ajp_msg_append_string(msg, envvar)) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-                   "ajp_marshal_into_msgb: "
-                   "Error appending the SSL session");
-            return AJP_EOVERFLOW;
+        if ((envvar = ap_proxy_ssl_val(r->pool, r->server, r->connection, r,
+                                       AJP13_SSL_SESSION_INDICATOR))
+            && envvar[0]) {
+            if (ajp_msg_append_uint8(msg, SC_A_SSL_SESSION)
+                || ajp_msg_append_string(msg, envvar)) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                             "ajp_marshal_into_msgb: "
+                             "Error appending the SSL session");
+                return AJP_EOVERFLOW;
+            }
         }
-    }
 
-    /*
-     * ssl_key_size is required by Servlet 2.3 API
-     * added support only in ajp14 mode
-     * JFC removed: ae->proto == AJP14_PROTO
-     */
- /* XXXX ignored for the moment
-    if (s->ssl_key_size != -1) {
-        if (ajp_msg_append_uint8(msg, SC_A_SSL_KEY_SIZE) ||
-            ajp_msg_append_uint16(msg, (unsigned short) s->ssl_key_size)) {
-            ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
-                   "Error ajp_marshal_into_msgb - "
-                   "Error appending the SSL key size");
-            return APR_EGENERAL;
+        /* ssl_key_size is required by Servlet 2.3 API */
+        if ((envvar = ap_proxy_ssl_val(r->pool, r->server, r->connection, r,
+                                       AJP13_SSL_KEY_SIZE_INDICATOR))
+            && envvar[0]) {
+
+            if (ajp_msg_append_uint8(msg, SC_A_SSL_KEY_SIZE)
+                || ajp_msg_append_uint16(msg, (unsigned short) atoi(envvar))) {
+                ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+                             "Error ajp_marshal_into_msgb - "
+                             "Error appending the SSL key size");
+                return APR_EGENERAL;
+            }
         }
     }
- */
     /* Use the environment vars prefixed with AJP_
      * and pass it to the header striping that prefix.
      */
-- 
2.40.0