-*- coding: utf-8 -*-
Changes with Apache 2.4.39
+ *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a backend
+ connection is recycled/reused to avoid a possible crash with some SSLProxy
+ configurations in <Location> or <Proxy> context. PR 63256. [Yann Ylavic]
+
*) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
[Michael Kaufmann <mail michael-kaufmann.ch>]
socket_cleanup(conn);
conn->close = 0;
}
+ else if (conn->is_ssl) {
+ /* Unbind/reset the SSL connection dir config (sslconn->dc) from
+ * r->per_dir_config, r will likely get destroyed before this proxy
+ * conn is reused.
+ */
+ ap_proxy_ssl_engine(conn->connection, worker->section_config, 1);
+ }
if (worker->s->hmax && worker->cp->res) {
conn->inreslist = 1;
apr_bucket_alloc_t *bucket_alloc;
if (conn->connection) {
+ if (conn->is_ssl) {
+ /* on reuse, reinit the SSL connection dir config with the current
+ * r->per_dir_config, the previous one was reset on release.
+ */
+ ap_proxy_ssl_engine(conn->connection, per_dir_config, 1);
+ }
return OK;
}
}
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
- ap_conf_vector_t *per_dir_config)
+ ap_conf_vector_t *per_dir_config,
+ int new_proxy)
{
SSLConnRec *sslconn = myConnConfig(c);
- SSLSrvConfigRec *sc;
+ int need_setup = 0;
- if (sslconn) {
- return sslconn;
+ if (!sslconn) {
+ sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
+ need_setup = 1;
}
- sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
-
+ /* Reinit dc in any case because it may be r->per_dir_config scoped
+ * and thus a caller like mod_proxy needs to update it per request.
+ */
if (per_dir_config) {
sslconn->dc = ap_get_module_config(per_dir_config, &ssl_module);
}
&ssl_module);
}
- sslconn->server = c->base_server;
- sslconn->verify_depth = UNSET;
- sc = mySrvConfig(c->base_server);
- sslconn->cipher_suite = sc->server->auth.cipher_suite;
+ if (need_setup) {
+ sslconn->server = c->base_server;
+ sslconn->verify_depth = UNSET;
+ if (new_proxy) {
+ sslconn->is_proxy = 1;
+ sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;
+ }
+ else {
+ SSLSrvConfigRec *sc = mySrvConfig(c->base_server);
+ sslconn->cipher_suite = sc->server->auth.cipher_suite;
+ }
- myConnConfigSet(c, sslconn);
+ myConnConfigSet(c, sslconn);
+ }
return sslconn;
}
int status;
if (proxy) {
- sslconn = ssl_init_connection_ctx(c, per_dir_config);
- sslconn->is_proxy = 1;
+ sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
}
else {
sslconn = myConnConfig(c);
/*
* Create or retrieve SSL context
*/
- sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL);
+ sslconn = ssl_init_connection_ctx(c, r ? r->per_dir_config : NULL, 0);
server = sslconn->server;
sc = mySrvConfig(server);
projects / thirdparty / apache / httpd.git / commitdiff
