IOW, the following patch works.
Question: Is there any other hook / pool-cleanup thing that I can hook the
ssl_filter_io_shutdown() logic into ?
-Madhu
Index: mod_ssl.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.92
diff -u -r1.92 mod_ssl.c
--- mod_ssl.c 1 Jan 2004 13:26:21 -0000 1.92
+++ mod_ssl.c 6 Feb 2004 21:26:59 -0000
@@ -495,6 +495,50 @@
}
}
+static int ssl_hook_logger(request_rec *r)
+{
+ const char *type = "";
+ int shutdown_type;
+ conn_rec *c = r->connection;
+ SSLConnRec *sslconn = myConnConfig(c);
+ SSL *ssl = sslconn->ssl;
+
+
+ if (!ssl) {
+ return OK;
+ }
+
+ switch (sslconn->shutdown_type) {
+ case SSL_SHUTDOWN_TYPE_UNCLEAN:
+ /* perform no close notify handshake at all
+ (violates the SSL/TLS standard!) */
+ shutdown_type = SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN;
+ type = "unclean";
+ break;
+ case SSL_SHUTDOWN_TYPE_ACCURATE:
+ /* send close notify and wait for clients close notify
+ (standard compliant, but usually causes connection hangs) */
+ shutdown_type = 0;
+ type = "accurate";
+ break;
+ default:
+ /*
+ * case SSL_SHUTDOWN_TYPE_UNSET:
+ * case SSL_SHUTDOWN_TYPE_STANDARD:
+ */
+ /* send close notify, but don't wait for clients close notify
+ (standard compliant and safe, so it's the DEFAULT!) */
+ shutdown_type = SSL_RECEIVED_SHUTDOWN;
+ type = "standard";
+ break;
+ }
+
+ SSL_set_shutdown(ssl, shutdown_type);
+ SSL_smart_shutdown(ssl);
+
+ return OK;
+}
+
/*
* the module registration phase
*/
@@ -516,6 +560,7 @@
ap_hook_auth_checker (ssl_hook_Auth, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_post_read_request(ssl_hook_ReadReq, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_insert_filter (ssl_hook_Insert_Filter, NULL,NULL, APR_HOOK_MIDDLE);
+ ap_hook_log_transaction(ssl_hook_logger, NULL,NULL, APR_HOOK_MIDDLE);
/* ap_hook_handler (ssl_hook_Upgrade, NULL,NULL, APR_HOOK_MIDDLE); */
ssl_var_register();
-----Original Message-----
From: Mathihalli, Madhusudan
Sent: Friday, February 06, 2004 7:57 AM
To: [EMAIL PROTECTED]
Subject: RE: mod_ssl not sending Alert upon close ?
Nope.. It didn't work that way.
The only way I've been able to get the Alert message on the client is by using the
log_transaction hook to do the SSL_shutdown() - it's a ugly hack.
The more I think about it, I feel there's a need for something like pre-close hook OR
have the lingering_close invoke the filter code for _CONNECTION_TYPE filters.
-Madhu
From: Joe Orton [mailto:[EMAIL PROTECTED]
Sent: Fri 2/6/2004 7:03 AM
To: [EMAIL PROTECTED]
Subject: Re: mod_ssl not sending Alert upon close ?
On Thu, Feb 05, 2004 at 02:03:29PM -0800, Mathihalli, Madhusudan wrote:
> Okay. here's what I think is happening : (Client => C Server -> S)
You're right, the alert is never getting sent!
> C -> S : initiates connection
> C <-> S : handshake
> S -> C : server sends application data
> S -> C : server tries to read from the socket
> -> finds nothing (0 bytes returned)
> -> assumes transaction is completed, and starts cleanup process
> -> closes the connection first
> -> frees the pool, which invokes ssl_io_filter_cleanup() and inturn
> ssl_io_filter_shutdown()
> -> ssl_io_filter_shutdown() tries to send 'Close notify'
> OOPS ! The connection has already been terminated
Yes - it's too late to rely on pool cleanups to send the alert: I think
the right place to do this is when the output filter gets the EOS
bucket: the patch below fixes for my tests, can you test against MSIE?
I'm not convinced about the ordering of the flush/shutdown...
--- modules/ssl/ssl_engine_io.c 23 Jan 2004 16:50:24 -0000 1.114
+++ modules/ssl/ssl_engine_io.c 6 Feb 2004 14:55:16 -0000
@@ -1404,6 +1404,11 @@
* These types do not require translation by OpenSSL.
*/
if (APR_BUCKET_IS_EOS(bucket) || APR_BUCKET_IS_FLUSH(bucket)) {
+ if (APR_BUCKET_IS_EOS(bucket)) {
+ status = ssl_filter_io_shutdown(filter_ctx, f->c, 0);
+ if (status) break;
+ }
+
if (bio_filter_out_flush(filter_ctx->pbioWrite) < 0) {
status = outctx->rc;
break;
