Index: modules/http2/h2_conn.c =================================================================== --- modules/http2/h2_conn.c (revision 1709562) +++ modules/http2/h2_conn.c (working copy) @@ -44,7 +44,6 @@ static h2_mpm_type_t mpm_type = H2_MPM_UNKNOWN; static module *mpm_module; -static module *ssl_module; static int checked; static void check_modules(void) @@ -65,9 +64,6 @@ mpm_type = H2_MPM_PREFORK; mpm_module = m; } - else if (!strcmp("mod_ssl.c", m->name)) { - ssl_module = m; - } } checked = 1; } @@ -104,9 +100,6 @@ mpm_type = H2_MPM_PREFORK; mpm_module = m; } - else if (!strcmp("mod_ssl.c", m->name)) { - ssl_module = m; - } } if (minw <= 0) { @@ -422,22 +415,12 @@ env->c.conn_config = ap_create_conn_config(env->pool); env->c.notes = apr_table_make(env->pool, 5); + /* In order to do this in 2.4.x, we need to add a member to conn_rec */ + env->c.master = master; + ap_set_module_config(env->c.conn_config, &core_module, h2_worker_get_socket(worker)); - /* If we serve http:// requests over a TLS connection, we do - * not want any mod_ssl vars to be visible. - */ - if (ssl_module && (!env->scheme || strcmp("http", env->scheme))) { - /* See #19, there is a range of SSL variables to be gotten from - * the main connection that should be available in request handlers - */ - void *sslcfg = ap_get_module_config(master->conn_config, ssl_module); - if (sslcfg) { - ap_set_module_config(env->c.conn_config, ssl_module, sslcfg); - } - } - /* This works for mpm_worker so far. Other mpm modules have * different needs, unfortunately. The most interesting one * being mpm_event... Index: modules/http2/h2_h2.c =================================================================== --- modules/http2/h2_h2.c (revision 1709602) +++ modules/http2/h2_h2.c (working copy) @@ -437,14 +437,6 @@ return opt_ssl_is_https && opt_ssl_is_https(c); } -int h2_tls_disable(conn_rec *c) -{ - if (opt_ssl_engine_disable) { - return opt_ssl_engine_disable(c); - } - return 0; -} - int h2_is_acceptable_connection(conn_rec *c, int require_all) { int is_tls = h2_h2_is_tls(c); Index: modules/http2/h2_h2.h =================================================================== --- modules/http2/h2_h2.h (revision 1709587) +++ modules/http2/h2_h2.h (working copy) @@ -43,12 +43,6 @@ */ int h2_h2_is_tls(conn_rec *c); -/* Disable SSL for this connection, can only be invoked in a pre- - * connection hook before mod_ssl. - * @return != 0 iff disable worked - */ -int h2_tls_disable(conn_rec *c); - /* Register apache hooks for h2 protocol */ void h2_h2_register_hooks(void); Index: modules/http2/h2_task.c =================================================================== --- modules/http2/h2_task.c (revision 1709562) +++ modules/http2/h2_task.c (working copy) @@ -121,12 +121,6 @@ if (h2_ctx_is_task(ctx)) { h2_task_env *env = h2_ctx_get_task(ctx); - /* This connection is a pseudo-connection used for a h2_task. - * Since we read/write directly from it ourselves, we need - * to disable a possible ssl connection filter. - */ - h2_tls_disable(c); - ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, "h2_h2, pre_connection, found stream task"); Index: modules/ssl/mod_ssl.c =================================================================== --- modules/ssl/mod_ssl.c (revision 1709602) +++ modules/ssl/mod_ssl.c (working copy) @@ -563,8 +563,8 @@ /* * Immediately stop processing if SSL is disabled for this connection */ - if (!(sc && (sc->enabled == SSL_ENABLED_TRUE || - (sslconn && sslconn->is_proxy)))) + if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE || + (sslconn && sslconn->is_proxy)))) { return DECLINED; } Index: modules/ssl/ssl_engine_kernel.c =================================================================== --- modules/ssl/ssl_engine_kernel.c (revision 1709562) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -113,6 +113,108 @@ return result; } +static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2) +{ + int i; + const char *c; + + if (s1 == s2) { + return 1; + } + else if (!s1 || !s2 || (s1->nelts != s2->nelts)) { + return 0; + } + + for (i = 0; i < s1->nelts; i++) { + c = APR_ARRAY_IDX(s1, i, const char *); + if (!c || !ap_array_str_contains(s2, c)) { + return 0; + } + } + return 1; +} + +static int ssl_pk_server_compatible(modssl_pk_server_t *pks1, + modssl_pk_server_t *pks2) +{ + if (!pks1 || !pks2) { + return 0; + } + /* both have the same certificates? */ + if ((pks1->ca_name_path != pks2->ca_name_path) + && (!pks1->ca_name_path || !pks2->ca_name_path + || strcmp(pks1->ca_name_path, pks2->ca_name_path))) { + return 0; + } + if ((pks1->ca_name_file != pks2->ca_name_file) + && (!pks1->ca_name_file || !pks2->ca_name_file + || strcmp(pks1->ca_name_file, pks2->ca_name_file))) { + return 0; + } + if (!ap_array_same_str_set(pks1->cert_files, pks2->cert_files) + || !ap_array_same_str_set(pks1->key_files, pks2->key_files)) { + return 0; + } + return 1; +} + +static int ssl_auth_compatible(modssl_auth_ctx_t *a1, + modssl_auth_ctx_t *a2) +{ + if (!a1 || !a2) { + return 0; + } + /* both have the same verification */ + if ((a1->verify_depth != a2->verify_depth) + || (a1->verify_mode != a2->verify_mode)) { + return 0; + } + /* both have the same ca path/file */ + if ((a1->ca_cert_path != a2->ca_cert_path) + && (!a1->ca_cert_path || !a2->ca_cert_path + || strcmp(a1->ca_cert_path, a2->ca_cert_path))) { + return 0; + } + if ((a1->ca_cert_file != a2->ca_cert_file) + && (!a1->ca_cert_file || !a2->ca_cert_file + || strcmp(a1->ca_cert_file, a2->ca_cert_file))) { + return 0; + } + /* both have the same ca cipher suite string */ + if ((a1->cipher_suite != a2->cipher_suite) + && (!a1->cipher_suite || !a2->cipher_suite + || strcmp(a1->cipher_suite, a2->cipher_suite))) { + return 0; + } + return 1; +} + +static int ssl_ctx_compatible(modssl_ctx_t *ctx1, + modssl_ctx_t *ctx2) +{ + if (!ctx1 || !ctx2 + || (ctx1->protocol != ctx2->protocol) + || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth) + || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) { + return 0; + } + return 1; +} + +static int ssl_server_compatible(server_rec *s1, server_rec *s2) +{ + SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL; + SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL; + + /* both use the same TLS protocol? */ + if (!sc1 || !sc2 + || !ssl_ctx_compatible(sc1->server, sc2->server)) { + return 0; + } + + return 1; +} + /* * Post Read Request Handler */ @@ -138,6 +240,9 @@ } sslconn = myConnConfig(r->connection); + if (!(sslconn && sslconn->ssl) && r->connection->master) { + sslconn = myConnConfig(r->connection->master); + } if (!sslconn) { return DECLINED; } @@ -195,15 +300,16 @@ " provided in HTTP request", servername); return HTTP_BAD_REQUEST; } - if (r->server != handshakeserver) { + if (r->server != handshakeserver + && !ssl_server_compatible(sslconn->server, r->server)) { /* - * We are really not in Kansas anymore... * The request does not select the virtual host that was - * selected by the SNI. + * selected by the SNI and its SSL parameters are different */ + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, APLOGNO(02032) "Hostname %s provided via SNI and hostname %s provided" - " via HTTP select a different server", + " via HTTP have no compatible SSL setup", servername, r->hostname); return HTTP_MISDIRECTED_REQUEST; } @@ -313,8 +419,15 @@ X509_STORE_CTX cert_store_ctx; STACK_OF(SSL_CIPHER) *cipher_list_old = NULL, *cipher_list = NULL; const SSL_CIPHER *cipher = NULL; - int depth, verify_old, verify, n; + int depth, verify_old, verify, n, is_slave = 0; + if (!(sslconn && ssl) && r->connection->master) { + sslconn = myConnConfig(r->connection->master); + ssl = sslconn ? sslconn->ssl : NULL; + handshakeserver = sslconn ? sslconn->server : NULL; + is_slave = 1; + } + if (ssl) { /* * We should have handshaken here (on handshakeserver), @@ -333,7 +446,7 @@ * Support for SSLRequireSSL directive */ if (dc->bSSLRequired && !ssl) { - if (sc->enabled == SSL_ENABLED_OPTIONAL) { + if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !is_slave) { /* This vhost was configured for optional SSL, just tell the * client that we need to upgrade. */ @@ -432,6 +545,18 @@ } /* configure new state */ + /* TODO: this is not a good idea inside a slave connection, since + * multiple threads might try to do the same thing. + * We should instead: + * A. check if the master cipher suite is == the configured one + * -> do nothing (this should work as TLS master connections MUST + * NOT renegotiate) + * B. create a new SSL* from our SSL_CTX and set cipher suite there, + * and retrieve ciphers from, free + * C. if renegotiation is needed, fail the request and add a note + * about the reason so protocol engines can return the proper + * failure codes. + */ if ((dc->szCipherSuite || sc->server->auth.cipher_suite) && !SSL_set_cipher_list(ssl, dc->szCipherSuite ? dc->szCipherSuite : @@ -502,6 +627,15 @@ } if (renegotiate) { + if (is_slave) { + /* The request causes renegotiation on a slave connection. + * This is not allowed since we might have concurrent requests + * on this connection. + */ + apr_table_setn(r->notes, "ssl-renegotiation-forbidden", "cipher-suite"); + return HTTP_FORBIDDEN; + } + #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE if (sc->cipher_server_pref == TRUE) { SSL_set_options(ssl, SSL_OP_CIPHER_SERVER_PREFERENCE); @@ -549,6 +683,9 @@ verify |= SSL_VERIFY_PEER; } + /* TODO: this seems premature since we do not know if there + * are any changes required. + */ SSL_set_verify(ssl, verify, ssl_callback_SSLVerify); SSL_set_verify_result(ssl, X509_V_OK); @@ -564,6 +701,14 @@ (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))) { renegotiate = TRUE; + if (is_slave) { + /* The request causes renegotiation on a slave connection. + * This is not allowed since we might have concurrent requests + * on this connection. + */ + apr_table_setn(r->notes, "ssl-renegotiation-forbidden", "verify-client"); + return HTTP_FORBIDDEN; + } /* optimization */ if ((dc->nOptions & SSL_OPT_OPTRENEGOTIATE) && @@ -1186,6 +1331,10 @@ apr_table_mergen(r->headers_out, "Connection", "upgrade"); } + if (!(sslconn && sslconn->ssl) && r->connection->master) { + sslconn = myConnConfig(r->connection->master); + } + /* * Check to see if SSL is on */ @@ -1208,8 +1357,8 @@ /* standard SSL environment variables */ if (dc->nOptions & SSL_OPT_STDENVVARS) { - modssl_var_extract_dns(env, sslconn->ssl, r->pool); - modssl_var_extract_san_entries(env, sslconn->ssl, r->pool); + modssl_var_extract_dns(env, ssl, r->pool); + modssl_var_extract_san_entries(env, ssl, r->pool); for (i = 0; ssl_hook_Fixup_vars[i]; i++) { var = (char *)ssl_hook_Fixup_vars[i]; Index: modules/ssl/ssl_engine_vars.c =================================================================== --- modules/ssl/ssl_engine_vars.c (revision 1709562) +++ modules/ssl/ssl_engine_vars.c (working copy) @@ -39,7 +39,7 @@ ** _________________________________________________________________ */ -static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var); +static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, request_rec *r, char *var); static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var); static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var); static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var); @@ -49,8 +49,8 @@ static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var); static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl); static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs); -static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c); -static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var); +static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn); +static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char *var); static void ssl_var_lookup_ssl_cipher_bits(SSL *ssl, int *usekeysize, int *algkeysize); static char *ssl_var_lookup_ssl_version(apr_pool_t *p, char *var); static char *ssl_var_lookup_ssl_compress_meth(SSL *ssl); @@ -146,7 +146,7 @@ char *var = (char *)data; SSLConnRec *sslconn = myConnConfig(ctx->c); - return sslconn ? ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var) : NULL; + return sslconn ? ssl_var_lookup_ssl(ctx->p, sslconn, ctx->r, var) : NULL; } static const char *expr_func_fn(ap_expr_eval_ctx_t *ctx, const void *data, @@ -332,9 +332,13 @@ */ if (result == NULL && c != NULL) { SSLConnRec *sslconn = myConnConfig(c); + if (!(sslconn && sslconn->ssl) && c->master) { + /* use master connection if no SSL defined here */ + sslconn = myConnConfig(c->master); + } if (strlen(var) > 4 && strcEQn(var, "SSL_", 4) && sslconn && sslconn->ssl) - result = ssl_var_lookup_ssl(p, c, r, var+4); + result = ssl_var_lookup_ssl(p, sslconn, r, var+4); else if (strcEQ(var, "HTTPS")) { if (sslconn && sslconn->ssl) result = "on"; @@ -404,10 +408,9 @@ return (char *)result; } -static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, - char *var) +static char *ssl_var_lookup_ssl(apr_pool_t *p, SSLConnRec *sslconn, + request_rec *r, char *var) { - SSLConnRec *sslconn = myConnConfig(c); char *result; X509 *xs; STACK_OF(X509) *sk; @@ -447,7 +450,7 @@ result = "Initial"; } else if (ssl != NULL && strlen(var) >= 6 && strcEQn(var, "CIPHER", 6)) { - result = ssl_var_lookup_ssl_cipher(p, c, var+6); + result = ssl_var_lookup_ssl_cipher(p, sslconn, var+6); } else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_CERT_CHAIN_", 18)) { sk = SSL_get_peer_cert_chain(ssl); @@ -457,7 +460,7 @@ result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl); } else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) { - result = ssl_var_lookup_ssl_cert_verify(p, c); + result = ssl_var_lookup_ssl_cert_verify(p, sslconn); } else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) { if ((xs = SSL_get_peer_certificate(ssl)) != NULL) { @@ -866,9 +869,8 @@ return result; } -static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c) +static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, SSLConnRec *sslconn) { - SSLConnRec *sslconn = myConnConfig(c); char *result; long vrc; const char *verr; @@ -902,9 +904,8 @@ return result; } -static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var) +static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, SSLConnRec *sslconn, char *var) { - SSLConnRec *sslconn = myConnConfig(c); char *result; BOOL resdup; int usekeysize, algkeysize;