Hi,
I've tried to enable more portions of the mod_ssl code. Here, a
summary of the patch :
Patch 1 :
1. keepalive connections for SSL seem to work now. Eliminated the
ssl_hook_CloseConnection() from ssl_io_filter_Input, and perform the
operation during connection pool cleanup. I'm also calling the
ssl_hook_CloseConnection if there's a timeout during apr_bucket_read. This
is just for precaution, and can be eliminated later.
2. Take over the "possible security fix" that Geoff Thorpe had posted
sometime back on the modssl-users mailing list (I can provide more details
if required)..
3. Enabled more hooks - ssl_hook_translate_name, ssl_hook_create_request,
and others..
Patch 2 :
4. Change ssl_hook_process_connection to accept a conn_rec structure - just
trying to cleanup - in tune with other portions of the code - it's intutive
to pass a conn_rec to a process_connection hook.. The goal is to call the
ssl_hook_processconnection from ap_hook_processconnection, rather than call
it manually - as it's being done today..
Pl. let me know if you have any comments / suggestions.
Thanks
-Madhu
<<patch1.txt>>
<<patch2.txt>>
? patch1.txt
Index: mod_ssl.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.12
diff -u -r1.12 mod_ssl.c
--- mod_ssl.c 2001/07/31 03:40:47 1.12
+++ mod_ssl.c 2001/08/09 00:12:45
@@ -224,6 +224,9 @@
unsigned char *cpVHostID;
char *cpVHostMD5;
+ if (apr_table_get(c->notes, "ssl") != NULL)
+ return APR_SUCCESS;
+
/*
* Create SSL context
*/
@@ -469,10 +472,9 @@
return 443;
}
-static int ssl_hook_insert_filter (request_rec *r)
+static void ssl_hook_insert_filter (request_rec *r)
{
/* ssl_hook_ReadReq() */
- return DECLINED;
}
/*
@@ -494,6 +496,7 @@
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_process_connection (ssl_hook_process_connection,
NULL,NULL, APR_HOOK_MIDDLE);
+#endif
ap_hook_post_read_request (ssl_hook_post_read_request,
NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
@@ -508,7 +511,6 @@
ap_hook_create_request(ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_type_checker (ssl_hook_fixer_upper, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_insert_filter (ssl_hook_insert_filter, NULL,NULL, APR_HOOK_MIDDLE);
-#endif
ssl_var_register();
ssl_io_register();
}
Index: mod_ssl.h
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.23
diff -u -r1.23 mod_ssl.h
--- mod_ssl.h 2001/07/31 07:21:59 1.23
+++ mod_ssl.h 2001/08/09 00:12:45
@@ -597,7 +597,7 @@
void ssl_hook_NewConnection(conn_rec *);
void ssl_hook_TimeoutConnection(int);
int ssl_hook_process_connection(SSLFilterRec *pRec);
-apr_status_t ssl_hook_CloseConnection(SSLFilterRec *);
+apr_status_t ssl_hook_CloseConnection(conn_rec *);
int ssl_hook_Translate(request_rec *);
int ssl_hook_Auth(request_rec *);
int ssl_hook_UserCheck(request_rec *);
Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.9
diff -u -r1.9 ssl_engine_init.c
--- ssl_engine_init.c 2001/08/02 05:25:53 1.9
+++ ssl_engine_init.c 2001/08/09 00:12:46
@@ -541,7 +541,8 @@
if (mc->nSessionCacheMode == SSL_SCMODE_NONE)
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
else
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
+ SSL_CTX_set_session_cache_mode(ctx,
+ SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL_LOOKUP);
/*
* Configure callbacks for SSL context
Index: ssl_engine_io.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.15
diff -u -r1.15 ssl_engine_io.c
--- ssl_engine_io.c 2001/08/08 15:49:07 1.15
+++ ssl_engine_io.c 2001/08/09 00:12:46
@@ -266,12 +266,17 @@
*/
return APR_SUCCESS;
}
-
- if(eReadType != APR_NONBLOCK_READ)
+ if (ret == APR_TIMEUP)
+ ssl_hook_CloseConnection(SSL_get_app_data(pRec->pssl));
+ else
+ if (eReadType != APR_NONBLOCK_READ)
ap_log_error(APLOG_MARK,APLOG_ERR,ret,NULL,
- "Read failed in tls_in_filter");
+ "Read failed in ssl_hook_filter_Input");
+
+#if 0 /* XXX - Why do we need these anyway - TBD */
assert(eReadType == APR_NONBLOCK_READ);
assert(ret == APR_SUCCESS || APR_STATUS_IS_EAGAIN(ret));
+#endif
/* In this case, we have data in the output bucket, or we were
* non-blocking, so returning nothing is fine.
*/
@@ -329,10 +334,6 @@
APLOG_MARK,APLOG_ERR,ret,NULL, "Error in churn_output");
return ret;
}
-
- if ((ret = ssl_hook_CloseConnection (pRec)) != APR_SUCCESS)
- ap_log_error(APLOG_MARK,APLOG_ERR,ret,NULL,
- "Error in ssl_hook_CloseConnection");
break;
}
@@ -384,6 +385,7 @@
apr_status_t ssl_io_filter_cleanup (void *data)
{
SSL *ssl = (SSL *)data;
+ ssl_hook_CloseConnection(SSL_get_app_data(ssl));
return APR_SUCCESS;
}
Index: ssl_engine_kernel.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.13
diff -u -r1.13 ssl_engine_kernel.c
--- ssl_engine_kernel.c 2001/07/31 03:40:47 1.13
+++ ssl_engine_kernel.c 2001/08/09 00:12:46
@@ -379,14 +379,12 @@
* Close the SSL part of the socket connection
* (called immediately _before_ the socket is closed)
*/
-apr_status_t ssl_hook_CloseConnection(SSLFilterRec *filter)
+apr_status_t ssl_hook_CloseConnection(conn_rec *conn)
{
SSL *ssl;
char *cpType;
- conn_rec *conn;
- ssl = filter->pssl;
- conn = (conn_rec *)SSL_get_app_data(ssl);
+ ssl = (SSL *)apr_table_get(conn->notes, "ssl");
if (ssl == NULL)
return APR_SUCCESS;
Index: mod_ssl.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.12
diff -u -r1.12 mod_ssl.c
--- mod_ssl.c 2001/07/31 03:40:47 1.12
+++ mod_ssl.c 2001/08/09 00:18:56
@@ -315,20 +315,18 @@
/*
* The hook is NOT registered with ap_hook_process_connection. Instead, it is
* called manually from the churn () before it tries to read any data.
- * There is some problem if I accept conn_rec *. Still investigating..
- * Adv. if conn_rec * can be accepted is we can hook this function using the
- * ap_hook_process_connection hook.
*/
-int ssl_hook_process_connection(SSLFilterRec *pRec)
+int ssl_hook_process_connection(conn_rec *c)
{
int n, err;
- conn_rec *c = SSL_get_app_data (pRec->pssl);
+ SSL *ssl;
- if (!SSL_is_init_finished(pRec->pssl))
+ ssl = (SSL *)apr_table_get(c->notes, "ssl");
+ if (!SSL_is_init_finished(ssl))
{
- if ((n = SSL_accept(pRec->pssl)) <= 0) {
+ if ((n = SSL_accept(ssl)) <= 0) {
- if ((err = SSL_get_error(pRec->pssl, n)) == SSL_ERROR_ZERO_RETURN) {
+ if ((err = SSL_get_error(ssl, n)) == SSL_ERROR_ZERO_RETURN) {
/*
* The case where the connection was closed before any data
* was transferred. That's not a real error and can occur
@@ -384,14 +382,14 @@
fb->incnt = strlen((char *)fb->inptr);
#endif
}
- else if (ssl_util_getmodconfig_ssl(pRec->pssl, "ssl::handshake::timeout")
+ else if (ssl_util_getmodconfig_ssl(ssl, "ssl::handshake::timeout")
== (void *)TRUE) {
ssl_log(c->base_server, SSL_LOG_ERROR,
"SSL handshake timed out (client %s, server %s)",
c->remote_ip != NULL ? c->remote_ip : "unknown",
ssl_util_vhostid(c->pool,c->base_server));
}
- else if ((SSL_get_error(pRec->pssl, n) == SSL_ERROR_SYSCALL)
+ else if ((SSL_get_error(ssl, n) == SSL_ERROR_SYSCALL)
&& (errno != EINTR)) {
if (errno > 0)
ssl_log(c->base_server,
@@ -421,9 +419,9 @@
* - kick away the SSL stuff immediately
* - block the socket, so Apache cannot operate any more
*/
- SSL_set_shutdown(pRec->pssl, SSL_RECEIVED_SHUTDOWN);
- SSL_smart_shutdown(pRec->pssl);
- SSL_free(pRec->pssl);
+ SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
+ SSL_smart_shutdown(ssl);
+ SSL_free(ssl);
apr_table_setn(c->notes, "ssl", NULL);
c->aborted = 1;
return APR_EGENERAL;
Index: mod_ssl.h
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.h,v
retrieving revision 1.23
diff -u -r1.23 mod_ssl.h
--- mod_ssl.h 2001/07/31 07:21:59 1.23
+++ mod_ssl.h 2001/08/09 00:18:56
@@ -596,7 +596,7 @@
/* Apache API hooks */
void ssl_hook_NewConnection(conn_rec *);
void ssl_hook_TimeoutConnection(int);
-int ssl_hook_process_connection(SSLFilterRec *pRec);
+int ssl_hook_process_connection(conn_rec *);
apr_status_t ssl_hook_CloseConnection(SSLFilterRec *);
int ssl_hook_Translate(request_rec *);
int ssl_hook_Auth(request_rec *);
Index: ssl_engine_io.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.15
diff -u -r1.15 ssl_engine_io.c
--- ssl_engine_io.c 2001/08/08 15:49:07 1.15
+++ ssl_engine_io.c 2001/08/09 00:18:58
@@ -282,7 +282,7 @@
assert(n >= 0 && (apr_size_t)n == len);
- ssl_hook_process_connection (pRec);
+ ssl_hook_process_connection (SSL_get_app_data(pRec->pssl));
/* pass along all of the current BIO */
while ((n = ssl_io_hook_read(pRec->pssl,
