DO NOT REPLY [Bug 15057] New: - ssl_var_lookup_ssl does not handle SSL_get_session returning NULL

4 Dec 2002 12:12:48 -0000 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15057>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=15057

ssl_var_lookup_ssl does not handle SSL_get_session returning NULL

           Summary: ssl_var_lookup_ssl does not handle SSL_get_session
                    returning NULL
           Product: Apache httpd-2.0
           Version: 2.0.43
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Minor
          Priority: Other
         Component: mod_ssl
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


While working on an Apache 2.0 connection handler to implement EPP within Apache
(see https://sourceforge.net/projects/aepps/) I noticed the following:

If I turn on StdEnvVars httpd will dump core in ssl_var_lookup_ssl as
SSL_get_session returns a NULL pointer. After spending an afternoon with gdb,
etherreal and ssl-telnet I have no clue why connecting with ssl-telnet to 
an SSL/HTTP port gives me a non-NULL session variable whereas using the same
client to connect to my connection-handler returns a NULL value.

I'm using openssl 0.9.6g.

To work around the issue until I eventually find the real cause, I applied
the folllowing patch to my 2.0.43 source-tree:

--- ssl_engine_vars.c   2002/12/04 11:27:14     1.1
+++ ssl_engine_vars.c   2002/12/04 11:27:34
@@ -280,7 +280,8 @@
     else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
         char buf[SSL_SESSION_ID_STRING_LEN];
         SSL_SESSION *pSession = SSL_get_session(ssl);
-        result = apr_pstrdup(p, SSL_SESSION_id2sz(
+       if (pSession)
+               result = apr_pstrdup(p, SSL_SESSION_id2sz(
                                 SSL_SESSION_get_session_id(pSession),
                                 SSL_SESSION_get_session_id_length(pSession),
                                 buf, sizeof(buf)));


I'm not sure whether this is an issue with mod_ssl, my connection-handler or
openssl. As the patch is simple enough, I would recommend to apply it to
the offcial tree in any case.

cheers,

/ol

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to