On 11/25/2010 4:14 AM, "Plüm, Rüdiger, VF-Group" wrote:
the following seems better:
+ else if(strcmp(apr_table_get(backend->connection->notes, "SSL_connect_rv"),
"err") == 0) {
+ return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR,
+ "Error during SSL Handshake with remote
server");
+
Regards
Rüdiger
I agree that the message should be logged as such since logging higher
than INFO would hide the actual SSL error from mod_ssl. My focus though
is on marking the backend server out of service as you can't communicate
unless the SSL transport has been established (essentially a failure to
connect). Nothing else in the request/response cycle in mod_proxy_http
does this due to handshake errors and this spot seems to be the very
first place we can actually check for that condition.
I have updated the patches to log your suggested message after marking
the workers to be in error state.
--
Daniel Ruggeri
Index: httpd-2.2.x/STATUS
===================================================================
--- httpd-2.2.x/STATUS (revision 1037345)
+++ httpd-2.2.x/STATUS (working copy)
@@ -184,6 +184,14 @@
enabling/disabling the basic capability is not split out into mod_unixd
2.2.x.
+1: trawick
+ * mod_proxy_http: Become aware of ssl handshake failures when attempting
+ to pass request. Makes it so workers are put in error state when a
+ handshake failure is encountered.
+ PR50332
+ Trunk patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26344
+ 2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26343
+ druggeri: Need doc update?
+
PATCHES/ISSUES THAT ARE STALLED
* core: Support wildcards in both the directory and file components of
Index: httpd-2.2.x/STATUS
===================================================================
--- httpd-2.2.x/STATUS (revision 1037345)
+++ httpd-2.2.x/STATUS (working copy)
@@ -184,6 +184,14 @@
enabling/disabling the basic capability is not split out into mod_unixd
2.2.x.
+1: trawick
+ * mod_proxy_http: Become aware of ssl handshake failures when attempting
+ to pass request. Makes it so workers are put in error state when a
+ handshake failure is encountered.
+ PR50332
+ Trunk patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26339
+ 2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26338
+ druggeri: Need doc update?
+
PATCHES/ISSUES THAT ARE STALLED
* core: Support wildcards in both the directory and file components of
Index: httpd-2.2.x/modules/proxy/mod_proxy_http.c
===================================================================
--- httpd-2.2.x/modules/proxy/mod_proxy_http.c (revision 1037345)
+++ httpd-2.2.x/modules/proxy/mod_proxy_http.c (working copy)
@@ -272,6 +272,12 @@
"proxy: pass request body failed to %pI (%s)",
conn->addr, conn->hostname);
if (origin->aborted) {
+ if(strcmp(apr_table_get(origin->notes, "SSL_connect_rv"), "err")
== 0){
+ conn->worker->s->status |= PROXY_WORKER_IN_ERROR;
+ conn->worker->s->error_time = apr_time_now();
+ return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR,
+ "Error during SSL Handshake with remote
server");
+ }
return APR_STATUS_IS_TIMEUP(status) ? HTTP_GATEWAY_TIME_OUT :
HTTP_BAD_GATEWAY;
}
else {
Index: httpd-2.2.x/modules/ssl/ssl_engine_io.c
===================================================================
--- httpd-2.2.x/modules/ssl/ssl_engine_io.c (revision 1037345)
+++ httpd-2.2.x/modules/ssl/ssl_engine_io.c (working copy)
@@ -1065,6 +1065,7 @@
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
@@ -1082,6 +1083,7 @@
}
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
X509_free(cert);
@@ -1101,10 +1103,12 @@
hostname, hostname_note);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
}
+ apr_table_set(c->notes, "SSL_connect_rv", "ok");
return APR_SUCCESS;
}
Index: httpd-trunk/modules/proxy/mod_proxy_http.c
===================================================================
--- httpd-trunk/modules/proxy/mod_proxy_http.c (revision 1037345)
+++ httpd-trunk/modules/proxy/mod_proxy_http.c (working copy)
@@ -1468,6 +1468,12 @@
return ap_proxyerror(r, HTTP_SERVICE_UNAVAILABLE, "Timeout
on 100-Continue");
}
}
+ else if(strcmp(apr_table_get(backend->connection->notes,
"SSL_connect_rv"), "err") == 0) {
+ backend->worker->s->status |= PROXY_WORKER_IN_ERROR;
+ backend->worker->s->error_time = apr_time_now();
+ return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR,
+ "Error during SSL Handshake with remote
server");
+ }
/*
* If we are a reverse proxy request shutdown the connection
* WITHOUT ANY response to trigger a retry by the client
Index: httpd-trunk/modules/ssl/ssl_engine_io.c
===================================================================
--- httpd-trunk/modules/ssl/ssl_engine_io.c (revision 1037345)
+++ httpd-trunk/modules/ssl/ssl_engine_io.c (working copy)
@@ -1091,6 +1091,7 @@
ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, server);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return MODSSL_ERROR_BAD_GATEWAY;
}
@@ -1108,6 +1109,7 @@
}
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
X509_free(cert);
@@ -1127,10 +1129,12 @@
hostname, hostname_note);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
}
+ apr_table_set(c->notes, "SSL_connect_rv", "ok");
return APR_SUCCESS;
}
