subject:"svn commit\: r1740928 \- in \/httpd\/httpd\/trunk\: .\/ include\/ modules\/http2\/ modules\/proxy\/ modules\/ssl\/ server\/"

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2017-10-14 Thread Yann Ylavic

Committed something with explanations (hopefully) in r1812193. Does it
sound good?

On Thu, Oct 12, 2017 at 3:54 AM, William A Rowe Jr  wrote:
> I will review again tomorrow.
>
> My jump-around idea was to check against all of the bits in not dir loc
> file, and if the module's MMN minor is too early, treat the  section
> as if that bit is set.
>
>
>
> On Oct 11, 2017 16:13, "Yann Ylavic"  wrote:
>
> On Wed, Oct 11, 2017 at 11:02 PM, Yann Ylavic  wrote:
>> On Wed, Oct 11, 2017 at 10:49 PM, Yann Ylavic 
>> wrote:
>>> On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavic 
>>> wrote:

 Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd
 instead check for:
> +|| (((forbidden & NOT_IN_PROXY)
> + || (forbidden & NOT_IN_DIR_LOC_FILE) ==
> NOT_IN_DIR_LOC_FILE
> + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY)
> +&& ((found = ...)
> +|| ...)))
 ?
>>>
>>> Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should
>>> hack in ap_check_cmd_context() too, but you probably see the idea...
>>
>> Actually, I think the correct fix, even for 2.5/trunk, is something
>> for the attached patch.
>> WDYT?
>
> Sorry, spoke^R patched too soon, this v2 is more correct I guess.
>
>

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2017-10-11 Thread William A Rowe Jr

I will review again tomorrow.

My jump-around idea was to check against all of the bits in not dir loc
file, and if the module's MMN minor is too early, treat the 
section as if that bit is set.



On Oct 11, 2017 16:13, "Yann Ylavic"  wrote:

On Wed, Oct 11, 2017 at 11:02 PM, Yann Ylavic  wrote:
> On Wed, Oct 11, 2017 at 10:49 PM, Yann Ylavic 
wrote:
>> On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavic 
wrote:
>>>
>>> Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd
>>> instead check for:
 +|| (((forbidden & NOT_IN_PROXY)
 + || (forbidden & NOT_IN_DIR_LOC_FILE) ==
NOT_IN_DIR_LOC_FILE
 + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY)
 +&& ((found = ...)
 +|| ...)))
>>> ?
>>
>> Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should
>> hack in ap_check_cmd_context() too, but you probably see the idea...
>
> Actually, I think the correct fix, even for 2.5/trunk, is something
> for the attached patch.
> WDYT?

Sorry, spoke^R patched too soon, this v2 is more correct I guess.

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2017-10-11 Thread Yann Ylavic

On Wed, Oct 11, 2017 at 11:02 PM, Yann Ylavic  wrote:
> On Wed, Oct 11, 2017 at 10:49 PM, Yann Ylavic  wrote:
>> On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavic  wrote:
>>>
>>> Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd
>>> instead check for:
 +|| (((forbidden & NOT_IN_PROXY)
 + || (forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE
 + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY)
 +&& ((found = ...)
 +|| ...)))
>>> ?
>>
>> Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should
>> hack in ap_check_cmd_context() too, but you probably see the idea...
>
> Actually, I think the correct fix, even for 2.5/trunk, is something
> for the attached patch.
> WDYT?

Sorry, spoke^R patched too soon, this v2 is more correct I guess.
Index: include/http_config.h
===
--- include/http_config.h	(revision 1811703)
+++ include/http_config.h	(working copy)
@@ -950,10 +950,12 @@ AP_DECLARE(const char *) ap_check_cmd_context(cmd_
 #define  NOT_IN_FILES   0x10 /**< Forbidden in Files or If*/
 #define  NOT_IN_HTACCESS0x20 /**< Forbidden in .htaccess files */
 #define  NOT_IN_PROXY   0x40 /**< Forbidden in Proxy */
+/** Forbidden in Directory/Location/FilesIf*/
+#define  NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES)
 /** Forbidden in Directory/Location/FilesIfProxy*/
-#define  NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES|NOT_IN_PROXY)
+#define  NOT_IN_DIR_LOC_FILE_PROXY (NOT_IN_DIR_LOC_FILE|NOT_IN_PROXY)
 /** Forbidden in VirtualHost/Limit/Directory/Location/Files/IfProxy*/
-#define  GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE)
+#define  GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE_PROXY)
 
 /** @} */
 
Index: server/core.c
===
--- server/core.c	(revision 1811703)
+++ server/core.c	(working copy)
@@ -1323,7 +1323,9 @@ AP_DECLARE(const char *) ap_check_cmd_context(cmd_
 || (found = find_parent(cmd->directive, "directive, "directive, "directive, "directive, "pool, cmd->cmd->name, gt,

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2017-10-11 Thread Yann Ylavic

On Wed, Oct 11, 2017 at 10:49 PM, Yann Ylavic  wrote:
> On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavic  wrote:
>>
>> Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd
>> instead check for:
>>> +|| (((forbidden & NOT_IN_PROXY)
>>> + || (forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE
>>> + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY)
>>> +&& ((found = ...)
>>> +|| ...)))
>> ?
>
> Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should
> hack in ap_check_cmd_context() too, but you probably see the idea...

Actually, I think the correct fix, even for 2.5/trunk, is something
for the attached patch.
WDYT?
Index: include/http_config.h
===
--- include/http_config.h	(revision 1811703)
+++ include/http_config.h	(working copy)
@@ -950,10 +950,12 @@ AP_DECLARE(const char *) ap_check_cmd_context(cmd_
 #define  NOT_IN_FILES   0x10 /**< Forbidden in Files or If*/
 #define  NOT_IN_HTACCESS0x20 /**< Forbidden in .htaccess files */
 #define  NOT_IN_PROXY   0x40 /**< Forbidden in Proxy */
+/** Forbidden in Directory/Location/FilesIf*/
+#define  NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES)
 /** Forbidden in Directory/Location/FilesIfProxy*/
-#define  NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES|NOT_IN_PROXY)
+#define  NOT_IN_DIR_LOC_FILE_PROXY (NOT_IN_DIR_LOC_FILE|NOT_IN_PROXY)
 /** Forbidden in VirtualHost/Limit/Directory/Location/Files/IfProxy*/
-#define  GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE)
+#define  GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE_PROXY)
 
 /** @} */
 
Index: server/core.c
===
--- server/core.c	(revision 1811703)
+++ server/core.c	(working copy)
@@ -1323,7 +1323,9 @@ AP_DECLARE(const char *) ap_check_cmd_context(cmd_
 || (found = find_parent(cmd->directive, "directive, "directive, "directive, "directive, "pool, cmd->cmd->name, gt,

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2017-10-11 Thread Yann Ylavic

On Wed, Oct 11, 2017 at 10:38 PM, Yann Ylavic  wrote:
>
> Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd
> instead check for:
>> +|| (((forbidden & NOT_IN_PROXY)
>> + || (forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE
>> + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY)
>> +&& ((found = ...)
>> +|| ...)))
> ?

Looks like there are other usages of NOT_IN_DIR_LOC_FILE we should
hack in ap_check_cmd_context() too, but you probably see the idea...

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2017-10-11 Thread Yann Ylavic

On Wed, Oct 11, 2017 at 5:15 PM, William A Rowe Jr  wrote:
>>
>> +#define  NOT_IN_PROXY   0x40 /**< Forbidden in Proxy */
>> +/** Forbidden in
>> Directory/Location/FilesIfProxy*/
>> +#define  NOT_IN_DIR_LOC_FILE
>> (NOT_IN_DIRECTORY|NOT_IN_LOCATION|NOT_IN_FILES|NOT_IN_PROXY)
>> +/** Forbidden in
>> VirtualHost/Limit/Directory/Location/Files/IfProxy*/
>>  #define  GLOBAL_ONLY
>> (NOT_IN_VIRTUALHOST|NOT_IN_LIMIT|NOT_IN_DIR_LOC_FILE)
>
> Reviewing this in much more depth yesterday ... this doesn't seem
> to be a minor MMN bump, so would not be backportable without some
> extra heavy lifting on 2.4 interop.
>
> A module previously compiled against 2.4 would not carry the newly
> correct definition of NOT_IN_DIR_LOC_FILE because all previously
> compiled modules are missing the 0x40 bit, right?

Hmm, right I suppose.

So provided a user updates core to 2.4.thispatch but does not
recompile some modules using NOT_IN_DIR_LOC_FILE or GLOBAL_ONLY
against it (which is valid), then the new core would allow such
defined directives in  +|| ((forbidden & NOT_IN_PROXY)
> +&& ((found = find_parent(..., " +|| (found = find_parent(..., "  return apr_pstrcat(cmd->pool, cmd->cmd->name, gt,
> " cannot occur within ", found->directive,
> "> section", NULL);
wouldn't match.

Thus, how about if there, for 2.4.x only (i.e. backport patch), we'd
instead check for:
> +|| (((forbidden & NOT_IN_PROXY)
> + || (forbidden & NOT_IN_DIR_LOC_FILE) == NOT_IN_DIR_LOC_FILE
> + || (forbidden & GLOBAL_ONLY) == GLOBAL_ONLY)
> +&& ((found = ...)
> +|| ...)))
?

ISTM that it's strictly equivalent, without the compatibility caveat.

Does it work for you?

>
> That would be the definition of an MMN major bump, previously
> compiled modules require recompilation.

Yeah, we don't want that in 2.4.x, but SSLProxy* directives per
 sections yes :)
At least I am, and will try ;)

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2017-10-11 Thread William A Rowe Jr

On Mon, Apr 25, 2016 at 7:04 PM,  wrote:

> Author: ylavic
> Date: Tue Apr 26 00:04:57 2016
> New Revision: 1740928
>
> URL: http://svn.apache.org/viewvc?rev=1740928=rev
> Log:
> mod_proxy, mod_ssl: Handle SSLProxy* directives in  sections,
> allowing different TLS configurations per backend.
>
>
> Modified: httpd/httpd/trunk/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=
> 1740928=1740927=1740928=diff
> 
> ==
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Tue Apr 26 00:04:57 2016
> @@ -1,6 +1,9 @@
>   -*- coding:
> utf-8 -*-
>  Changes with Apache 2.5.0
>
> +  *) mod_proxy, mod_ssl: Handle SSLProxy* directives in  sections,
> + allowing different TLS configurations per backend.  [Yann Ylavic]
> +
>*) mod_http2: eliminating h2_io instances for streams, reducing memory
>   pools and footprint. [Stefan Eissing]
>
>
> Modified: httpd/httpd/trunk/include/http_config.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/
> http_config.h?rev=1740928=1740927=1740928=diff
> 
> ==
> --- httpd/httpd/trunk/include/http_config.h (original)
> +++ httpd/httpd/trunk/include/http_config.h Tue Apr 26 00:04:57 2016
> @@ -249,6 +249,8 @@ struct command_struct {
>  #define NONFATAL_UNKNOWN 1024/* Unrecognised directive */
>  #define NONFATAL_ALL (NONFATAL_OVERRIDE|NONFATAL_UNKNOWN)
>
> +#define PROXY_CONF 2048  /**< *.conf inside Proxy only */
> +
>  /** this directive can be placed anywhere */
>  #define OR_ALL (OR_LIMIT|OR_OPTIONS|OR_FILEINFO|OR_AUTHCFG|OR_INDEXES)
>
> @@ -923,9 +925,10 @@ AP_DECLARE(const char *) ap_check_cmd_co
>  #define  NOT_IN_LOCATION0x08 /**< Forbidden in Location */
>  #define  NOT_IN_FILES   0x10 /**< Forbidden in Files or
> If*/
>  #define  NOT_IN_HTACCESS0x20 /**< Forbidden in .htaccess files */
> -/** Forbidden in Directory/Location/Files
> If*/
> -#define  NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_
> LOCATION|NOT_IN_FILES)
> -/** Forbidden in VirtualHost/Limit/Directory/
> Location/Files/If */
> +#define  NOT_IN_PROXY   0x40 /**< Forbidden in Proxy */
> +/** Forbidden in Directory/Location/Files
> IfProxy*/
> +#define  NOT_IN_DIR_LOC_FILE(NOT_IN_DIRECTORY|NOT_IN_
> LOCATION|NOT_IN_FILES|NOT_IN_PROXY)
> +/** Forbidden in VirtualHost/Limit/Directory/
> Location/Files/IfProxy*/
>  #define  GLOBAL_ONLY(NOT_IN_VIRTUALHOST|NOT_IN_
> LIMIT|NOT_IN_DIR_LOC_FILE)
>
>  /** @} */
>

Reviewing this in much more depth yesterday ... this doesn't seem
to be a minor MMN bump, so would not be backportable without some
extra heavy lifting on 2.4 interop.

A module previously compiled against 2.4 would not carry the newly
correct definition of NOT_IN_DIR_LOC_FILE because all previously
compiled modules are missing the 0x40 bit, right?

That would be the definition of an MMN major bump, previously
compiled modules require recompilation.

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2016-08-19 Thread Yann Ylavic

On Fri, Aug 19, 2016 at 5:49 PM, William A Rowe Jr  wrote:
> Additional issues since this patch in our maintainer mode...
>
> httpd-2.x/modules/ssl/ssl_engine_config.c: In function
> 'ssl_cmd_SSLVerifyClient':
> httpd-2.x/modules/ssl/ssl_engine_config.c:1083:27: warning: 'mode' may be
> used uninitialized in this function [-Wmaybe-uninitialized]
>  dc->nVerifyClient = mode;
>^
> httpd-2.x/modules/ssl/ssl_engine_config.c: In function
> 'ssl_cmd_SSLProxyVerify':
> httpd-2.x/modules/ssl/ssl_engine_config.c:1463:33: warning: 'mode' may be
> used uninitialized in this function [-Wmaybe-uninitialized]
>  dc->proxy->auth.verify_mode = mode;
>  ^
> You might assert that ssl_cmd_verify_parse always populates the third arg
> except in case of error, you didn't satisfy the compiler of this fact ;-)

How couldn't it figure out that apr_pstrcat() never returns NULL?
Clever compilers should really read all the docs :)
Anyway, "fixed" in r1756976, thanks!

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2016-08-19 Thread William A Rowe Jr

Additional issues since this patch in our maintainer mode...

httpd-2.x/modules/ssl/ssl_engine_config.c: In function
'ssl_cmd_SSLVerifyClient':
httpd-2.x/modules/ssl/ssl_engine_config.c:1083:27: warning: 'mode' may be
used uninitialized in this function [-Wmaybe-uninitialized]
 dc->nVerifyClient = mode;
   ^
httpd-2.x/modules/ssl/ssl_engine_config.c: In function
'ssl_cmd_SSLProxyVerify':
httpd-2.x/modules/ssl/ssl_engine_config.c:1463:33: warning: 'mode' may be
used uninitialized in this function [-Wmaybe-uninitialized]
 dc->proxy->auth.verify_mode = mode;
 ^
You might assert that ssl_cmd_verify_parse always populates the third arg
except in case of error, you didn't satisfy the compiler of this fact ;-)



On Tue, Apr 26, 2016 at 4:46 AM, Yann Ylavic  wrote:

> On Tue, Apr 26, 2016 at 11:00 AM, Ruediger Pluem 
> wrote:
> >
> > On 04/26/2016 02:04 AM, yla...@apache.org wrote:
> >>  static int ssl_hook_pre_connection(conn_rec *c, void *csd)
> >>  {
> >> -
> >>  SSLSrvConfigRec *sc;
> >>  SSLConnRec *sslconn = myConnConfig(c);
> >>
> >> -if (sslconn) {
> >> -sc = mySrvConfig(sslconn->server);
> >> -}
> >> -else {
> >> -sc = mySrvConfig(c->base_server);
> >> -}
> >>  /*
> >>   * Immediately stop processing if SSL is disabled for this
> connection
> >>   */
> >> -if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE ||
> >> -  (sslconn && sslconn->is_proxy
> >> -{
> >> +if (ssl_engine_status(c, sslconn) != OK) {
> >>  return DECLINED;
> >>  }
> >>
> >> -/*
> >> - * Create SSL context
> >> - */
> >> -if (!sslconn) {
> >> -sslconn = ssl_init_connection_ctx(c);
> >> +if (sslconn) {
> >> +sc = mySrvConfig(sslconn->server);
> >>  }
> >> -
> >> -if (sslconn->disabled) {
> >> -return DECLINED;
> >> +else {
> >> +sc = mySrvConfig(c->base_server);
> >>  }
> >
> > We have a change in behaviour here. We no longer guarantee that we have
> an sslconn created and connected to c if SSL is
> > enabled. Is this intended?
>
> Actually ssl_init_connection_ctx(c) is done by
> ssl_init_ssl_connection() called just below (on return).
>
> Regards,
> Yann.
>

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2016-04-26 Thread Yann Ylavic

On Tue, Apr 26, 2016 at 11:00 AM, Ruediger Pluem  wrote:
>
> On 04/26/2016 02:04 AM, yla...@apache.org wrote:
>>  static int ssl_hook_pre_connection(conn_rec *c, void *csd)
>>  {
>> -
>>  SSLSrvConfigRec *sc;
>>  SSLConnRec *sslconn = myConnConfig(c);
>>
>> -if (sslconn) {
>> -sc = mySrvConfig(sslconn->server);
>> -}
>> -else {
>> -sc = mySrvConfig(c->base_server);
>> -}
>>  /*
>>   * Immediately stop processing if SSL is disabled for this connection
>>   */
>> -if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE ||
>> -  (sslconn && sslconn->is_proxy
>> -{
>> +if (ssl_engine_status(c, sslconn) != OK) {
>>  return DECLINED;
>>  }
>>
>> -/*
>> - * Create SSL context
>> - */
>> -if (!sslconn) {
>> -sslconn = ssl_init_connection_ctx(c);
>> +if (sslconn) {
>> +sc = mySrvConfig(sslconn->server);
>>  }
>> -
>> -if (sslconn->disabled) {
>> -return DECLINED;
>> +else {
>> +sc = mySrvConfig(c->base_server);
>>  }
>
> We have a change in behaviour here. We no longer guarantee that we have an 
> sslconn created and connected to c if SSL is
> enabled. Is this intended?

Actually ssl_init_connection_ctx(c) is done by
ssl_init_ssl_connection() called just below (on return).

Regards,
Yann.

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

2016-04-26 Thread Ruediger Pluem



On 04/26/2016 02:04 AM, yla...@apache.org wrote:
> Author: ylavic
> Date: Tue Apr 26 00:04:57 2016
> New Revision: 1740928
> 
> URL: http://svn.apache.org/viewvc?rev=1740928=rev
> Log:
> mod_proxy, mod_ssl: Handle SSLProxy* directives in  sections,
> allowing different TLS configurations per backend.
> 
> 
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/include/http_config.h
> httpd/httpd/trunk/modules/http2/h2_h2.c
> httpd/httpd/trunk/modules/http2/mod_proxy_http2.c
> httpd/httpd/trunk/modules/proxy/mod_proxy.c
> httpd/httpd/trunk/modules/proxy/mod_proxy.h
> httpd/httpd/trunk/modules/proxy/mod_proxy_connect.c
> httpd/httpd/trunk/modules/proxy/mod_proxy_ftp.c
> httpd/httpd/trunk/modules/proxy/mod_proxy_http.c
> httpd/httpd/trunk/modules/proxy/mod_proxy_wstunnel.c
> httpd/httpd/trunk/modules/proxy/proxy_util.c
> httpd/httpd/trunk/modules/ssl/mod_ssl.c
> httpd/httpd/trunk/modules/ssl/mod_ssl.h
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/server/config.c
> httpd/httpd/trunk/server/core.c
> 

> Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1740928=1740927=1740928=diff
> ==
> --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Tue Apr 26 00:04:57 2016

> @@ -561,34 +605,21 @@ static apr_port_t ssl_hook_default_port(
>  
>  static int ssl_hook_pre_connection(conn_rec *c, void *csd)
>  {
> -
>  SSLSrvConfigRec *sc;
>  SSLConnRec *sslconn = myConnConfig(c);
>  
> -if (sslconn) {
> -sc = mySrvConfig(sslconn->server);
> -}
> -else {
> -sc = mySrvConfig(c->base_server);
> -}
>  /*
>   * Immediately stop processing if SSL is disabled for this connection
>   */
> -if (c->master || !(sc && (sc->enabled == SSL_ENABLED_TRUE ||
> -  (sslconn && sslconn->is_proxy
> -{
> +if (ssl_engine_status(c, sslconn) != OK) {
>  return DECLINED;
>  }
>  
> -/*
> - * Create SSL context
> - */
> -if (!sslconn) {
> -sslconn = ssl_init_connection_ctx(c);
> +if (sslconn) {
> +sc = mySrvConfig(sslconn->server);
>  }
> -
> -if (sslconn->disabled) {
> -return DECLINED;
> +else {
> +sc = mySrvConfig(c->base_server);
>  }

We have a change in behaviour here. We no longer guarantee that we have an 
sslconn created and connected to c if SSL is
enabled. Is this intended?


>  
>  /*

Regards

Rüdiger

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

11 matches

Site Navigation

Mail list logo

Footer information