mod_ssl: Make the size of the per-dir-reneg request-body buffer
configurable, by popular demand:
* modules/ssl/ssl_private.h: Define DEFAULT_RENEG_BUFFER_SIZE.
(SSLDirConfigRec): Add nRenegBufferSize field.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLRenegBufferSize): New
function.
(ssl_config_perdir_create, ssl_config_perdir_merge): Handle
nRenegBufferSize.
* modules/ssl/ssl_engine_io.c (ssl_io_buffer_fill): Take max buffer
size as an argument rather than compile-time constant.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Pass
nRenegBufferSize to ssl_io_buffer_fill.
* modules/ssl/mod_ssl.c (ssl_config_cmds): Add SSLRenegBufferSize.
PR: 39243
* Correctly merge SSLRenegBufferSize directive.
PR: 46508
Submitted by: <tlhackque yahoo.com>
Reviewed by: rpluem, jorton, pgollucci
* Add a stub documentation for SSLRenegBufferSize.
* docs/manual/mod/mod_ssl.xml: Flesh out SSLRenegBufferSize
docs a little - thanks rpluem!
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@739605
13f79535-47bb-0310-9956-
ffa450edef68
-*- coding: utf-8 -*-
Changes with Apache 2.2.12
+
+ *) mod_ssl: Add SSLRenegBufferSize directive to allow changing the
+ size of the buffer used for the request-body where necessary
+ during a per-dir renegotiation. PR 39243. [Joe Orton]
*) mod_rewrite: Introduce DiscardPathInfo|DPI flag to stop the troublesome
way that per-directory rewrites append the previous notion of PATH_INFO
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- * mod_ssl: Add SSLRenegBufferSize to configure the amount of memory that will
- be used for buffering the request body if a per-location SSL renegotiationi
- is required due to changed access control requirements.
- PR 39243, 46508
- Trunk version of patch:
- http://svn.apache.org/viewvc?rev=726109&view=rev
- http://svn.apache.org/viewvc?rev=733465&view=rev
- http://svn.apache.org/viewvc?rev=733467&view=rev
- http://svn.apache.org/viewvc?rev=733695&view=rev
- Backport version for 2.2.x of patch:
- Trunk version of patch works
- +1: rpluem, jorton, pgollucci
-
* prefork: release mutex when exiting in single-process mode,
add timeout to pollset-poll to avoid hanging during graceful
stop/restart with multiple listening sockets
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxyverify">SSLProxyVerify</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslproxyverifydepth">SSLProxyVerifyDepth</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslrandomseed">SSLRandomSeed</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslrenegbuffersize">SSLRenegBufferSize</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslrequire">SSLRequire</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslrequiressl">SSLRequireSSL</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslsessioncache">SSLSessionCache</a></li>
SSLRandomSeed connect file:/dev/urandom 1024<br />
</code></p></div>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLRenegBufferSize" id="SSLRenegBufferSize">SSLRenegBufferSize</a> <a name="sslrenegbuffersize" id="sslrenegbuffersize">Directive</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set the size for the SSL renegotiation buffer</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLRenegBufferSize <var>bytes</var></code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLRenegBufferSize 131072</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
+<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+</table>
+
+<p>If an SSL renegotiation is required in per-location context, for
+example, any use of <code class="directive"><a href="#sslverifyclient">SSLVerifyClient</a></code> in a Directory or
+Location block, then <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> must buffer any HTTP
+request body into memory until the new SSL handshake can be performed.
+This directive can be used to set the amount of memory that will be
+used for this buffer. </p>
+
+<div class="warning"><p>
+Note that in many configurations, the client sending the request body
+will be untrusted so a denial of service attack by consumption of
+memory must be considered when changing this configuration setting.
+</p></div>
+
+<div class="example"><h3>Example</h3><p><code>
+SSLRenegBufferSize 262144
+</code></p></div>
+
</div>
<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="directive-section"><h2><a name="SSLRequire" id="SSLRequire">SSLRequire</a> <a name="sslrequire" id="sslrequire">Directive</a></h2>
</usage>
</directivesynopsis>
+<directivesynopsis>
+<name>SSLRenegBufferSize</name>
+<description>Set the size for the SSL renegotiation buffer</description>
+<syntax>SSLRenegBufferSize <var>bytes</var></syntax>
+<default>SSLRenegBufferSize 131072</default>
+<contextlist><context>directory</context>
+<context>.htaccess</context></contextlist>
+<override>AuthConfig</override>
+
+<usage>
+
+<p>If an SSL renegotiation is required in per-location context, for
+example, any use of <directive
+module="mod_ssl">SSLVerifyClient</directive> in a Directory or
+Location block, then <module>mod_ssl</module> must buffer any HTTP
+request body into memory until the new SSL handshake can be performed.
+This directive can be used to set the amount of memory that will be
+used for this buffer. </p>
+
+<note type="warning"><p>
+Note that in many configurations, the client sending the request body
+will be untrusted so a denial of service attack by consumption of
+memory must be considered when changing this configuration setting.
+</p></note>
+
+<example><title>Example</title>
+SSLRenegBufferSize 262144
+</example>
+</usage>
+</directivesynopsis>
+
<directivesynopsis>
<name>SSLProxyMachineCertificatePath</name>
<description>Directory of PEM-encoded client certificates and keys to be used by the proxy</description>
SSL_CMD_DIR(Require, AUTHCFG, RAW_ARGS,
"Require a boolean expression to evaluate to true for granting access"
"(arbitrary complex boolean expression - see manual)")
+ SSL_CMD_DIR(RenegBufferSize, AUTHCFG, TAKE1,
+ "Configure the amount of memory that will be used for buffering the "
+ "request body if a per-location SSL renegotiation is required due to "
+ "changed access control requirements")
/* Deprecated directives. */
AP_INIT_RAW_ARGS("SSLLog", ap_set_deprecated, NULL, OR_ALL,
dc->szCACertificateFile = NULL;
dc->szUserName = NULL;
+ dc->nRenegBufferSize = UNSET;
+
return dc;
}
cfgMergeString(szCACertificateFile);
cfgMergeString(szUserName);
+ cfgMergeInt(nRenegBufferSize);
+
return mrg;
}
return NULL;
}
+const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+ SSLDirConfigRec *dc = dcfg;
+
+ dc->nRenegBufferSize = atoi(arg);
+ if (dc->nRenegBufferSize < 0) {
+ return apr_pstrcat(cmd->pool, "Invalid size for SSLRenegBufferSize: ",
+ arg, NULL);
+ }
+
+ return NULL;
+}
+
static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
const char *arg,
ssl_proto_t *options)
return status;
}
-/* 128K maximum buffer size by default. */
-#ifndef SSL_MAX_IO_BUFFER
-#define SSL_MAX_IO_BUFFER (128 * 1024)
-#endif
-
struct modssl_buffer_ctx {
apr_bucket_brigade *bb;
apr_pool_t *pool;
};
-int ssl_io_buffer_fill(request_rec *r)
+int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen)
{
conn_rec *c = r->connection;
struct modssl_buffer_ctx *ctx;
/* ... and a temporary brigade. */
tempb = apr_brigade_create(r->pool, c->bucket_alloc);
- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "filling buffer");
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "filling buffer, max size "
+ "%" APR_SIZE_T_FMT " bytes", maxlen);
do {
apr_status_t rv;
total, eos);
/* Fail if this exceeds the maximum buffer size. */
- if (total > SSL_MAX_IO_BUFFER) {
+ if (total > maxlen) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "request body exceeds maximum size for SSL buffer");
+ "request body exceeds maximum size (%" APR_SIZE_T_FMT
+ ") for SSL buffer", maxlen);
return HTTP_REQUEST_ENTITY_TOO_LARGE;
}
&& strcmp(apr_table_get(r->headers_in, "content-length"), "0")))
&& !r->expecting_100) {
int rv;
+ apr_size_t rsize;
- /* Fill the I/O buffer with the request body if possible. */
- rv = ssl_io_buffer_fill(r);
+ rsize = dc->nRenegBufferSize == UNSET ? DEFAULT_RENEG_BUFFER_SIZE :
+ dc->nRenegBufferSize;
+ if (rsize > 0) {
+ /* Fill the I/O buffer with the request body if possible. */
+ rv = ssl_io_buffer_fill(r, rsize);
+ }
+ else {
+ /* If the reneg buffer size is set to zero, just fail. */
+ rv = HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
if (rv) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
#define SSL_SESSION_CACHE_TIMEOUT 300
#endif
+/* Default setting for per-dir reneg buffer. */
+#ifndef DEFAULT_RENEG_BUFFER_SIZE
+#define DEFAULT_RENEG_BUFFER_SIZE (128 * 1024)
+#endif
+
/**
* Support for MM library
*/
const char *szCACertificatePath;
const char *szCACertificateFile;
const char *szUserName;
+ apr_size_t nRenegBufferSize;
} SSLDirConfigRec;
/**
const char *ssl_cmd_SSLRequireSSL(cmd_parms *, void *);
const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
* to allow an SSL renegotiation to take place. */
-int ssl_io_buffer_fill(request_rec *r);
+int ssl_io_buffer_fill(request_rec *r, apr_size_t maxlen);
/* PRNG */
int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
projects / thirdparty / apache / httpd.git / commitdiff
