On Mon, Aug 30, 1999, Wilt, Paul wrote:
> [...]
> I started stepping through the mod_ssl hooks to see what I/O occurs between
> the server and the browser. I noticed that I would get the error when
> ssl_io_hook_write() was called. ssl_io_hook_write() tries to retrieve the
> ssl context. If the context is not found, then a plain old write is called.
> I found out that I would get the error when getting the SSL context returned
> a NULL. I then looked at the stack backtrace and found the following:
>
> ssl_io_hook_write
> ap_hook_call
> ap_write
> buff_write
> write_with_errors
> bflush_core
> ap_bflush
> ap_bclose
> child_main
>
> I then looked at the code in child_main() and found that
> ap_call_close_connection_hook(current_conn) is called before calling
> ap_bclose(). Voila--close the connection and the SSL context will be gone!
Ops, great catch! You're right, the pending data is then written out with a
plain write(2) which then causes the I/O errors in the browser. That's a
really subtle problem which is certainly the root of the I/O errors.
> Switching the order of the calls to
> ap_call_close_connection_hook(current_conn) and ap_bclose() gets rid of the
> error message but I don't think that is appropriate.
Exactly, that we cannot do, because then the SSL close notify messages cannot
be sent to the browser.
> I believe (in my so
> far limited knowlege of mod_ssl) that the "logical" SSL connection needs to
> be closed before the "OS" file descriptor is closed. However, if there is
> still data in the outbound buffer it needs to be flushed before the code in
> ap_bclose() gets called. Should instead an ap_bflush() be called within
> ssl_hook_CloseConnection() before doing the SSL connection close?
An ap_blush() in ssl_hook_CloseConnection() seems also to me the best and the
only correct solution in this situation. That's why propose the following
patch for 2.4.1:
Index: ssl_engine_kernel.c
===================================================================
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.102
diff -u -r1.102 ssl_engine_kernel.c
--- ssl_engine_kernel.c 1999/07/28 13:09:00 1.102
+++ ssl_engine_kernel.c 1999/08/30 16:49:03
@@ -431,6 +431,14 @@
return;
/*
+ * First make sure that no more data is pending in Apache's BUFF,
+ * because when it's (implicitly) flushed later by the ap_bclose()
+ * calls of Apache it would lead to an I/O error in the browser due
+ * to the fact that the SSL layer was already removed by us.
+ */
+ ap_bflush(conn->client);
+
+ /*
* Now close the SSL layer of the connection. We've to take
* the TLSv1 standard into account here:
*
Can you verify that it fixes your problems?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
