From a5511fe280d5eb1acc6fa161a57637faeae99c34 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Mon, 8 Feb 2016 16:50:07 +0000
Subject: [PATCH] let proxy handler forward ALPN protocol strings for ssl proxy
 connections

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729208 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/proxy/proxy_util.c  |  2 ++
 modules/ssl/ssl_engine_io.c | 38 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index 2b8b73d4dc..c4112d5c1f 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -2717,6 +2717,8 @@ PROXY_DECLARE(int) ap_proxy_connect_backend(const char *proxy_function,
 
     if (conn->sock) {
         if (!(connected = ap_proxy_is_socket_connected(conn->sock))) {
+            /* FIXME: this loses conn->ssl_hostname and it will not be
+             * restablished before the SSL connection is made -> no SNI! */
             socket_cleanup(conn);
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00951)
                          "%s: backend socket is disconnected.",
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 16e82417f7..1c931caacb 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1146,12 +1146,48 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
 #endif
         const char *hostname_note = apr_table_get(c->notes,
                                                   "proxy-request-hostname");
+        const char *alpn_note;
         BOOL proxy_ssl_check_peer_ok = TRUE;
         int post_handshake_rc = OK;
 
         sc = mySrvConfig(server);
 
 #ifdef HAVE_TLSEXT
+#ifdef HAVE_TLS_ALPN
+        alpn_note = apr_table_get(c->notes, "proxy-request-alpn-protos");
+        if (alpn_note) {
+            char *protos, *s, *p, *last;
+            apr_size_t len;
+            
+            s = protos = apr_pcalloc(c->pool, strlen(alpn_note)+1);
+            p = apr_pstrdup(c->pool, alpn_note);
+            while ((p = apr_strtok(p, ", ", &last))) {
+                len = last - p - (*last? 1 : 0); 
+                if (len > 255) {
+                    ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO()
+                                  "ALPN proxy protocol identifier too long: %s",
+                                  p);
+                    ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
+                    return APR_EGENERAL;
+                }
+                *s++ = (unsigned char)len;
+                while (len--) {
+                    *s++ = *p++;
+                }
+                p = last;
+            }
+            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c, 
+                          "setting alpn protos from '%s', protolen=%d", 
+                          alpn_note, (int)(s - protos));
+            if (protos != s && SSL_set_alpn_protos(filter_ctx->pssl, 
+                                                   (unsigned char *)protos, 
+                                                   s - protos)) {
+                ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO()
+                              "error setting alpn protos from '%s'", alpn_note);
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
+            }
+        }
+#endif /* defined HAVE_TLS_ALPN */
         /*
          * Enable SNI for backend requests. Make sure we don't do it for
          * pure SSLv3 connections, and also prevent IP addresses
@@ -1176,7 +1212,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
             }
         }
-#endif
+#endif /* defined HAVE_TLSEXT */
 
         if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
             ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02003)
-- 
2.40.0