From: Rainer Jung <rjung@apache.org>
Date: Tue, 24 Feb 2015 18:34:01 +0000 (+0000)
Subject: Merge r1661067 from trunk:
X-Git-Tag: 2.4.13~396
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0158d4158dd2a53b83bf0c32e71c0c396c9b6a08;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1661067 from trunk:

mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
request attribute to the backend. The name is taken from
the SSL_PROTOCOL env var. Recent Tomcat versions will extract
it and provide it as a servlet request attribute named
"org.apache.tomcat.util.net.secure_protocol_version".

The change is compatible with existing AJP13, because we forward
the protocol name as a normal named attribute, not with a new
byte abbreviated attribute name.

Submitted by: rjung
Reviewed by: rjung, ylavic, covener
Backported by: rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1662076 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 54f0c3b9914..74fa4cb250b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 
 Changes with Apache 2.4.13
 
+  *) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
+     request attribute to the backend. Recent Tomcat versions will extract
+     it and provide it as a servlet request attribute named
+     "org.apache.tomcat.util.net.secure_protocol_version". [Rainer Jung]
+
   *) core: Optimize string concatenation in expression parser when evaluating
      a string expression. [Rainer Jung]
 
diff --git a/STATUS b/STATUS
index 05162f2978c..6b4a9ca8e1a 100644
--- a/STATUS
+++ b/STATUS
@@ -119,16 +119,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.4.x patch: trunk works
      +1: jailletc36, ylavic, covener
 
-   * mod_proxy_ajp: Forward SSL protocol name (from SSL_PROTOCOL).
-     Forthcoming Tomcat versions know how to extract it and will
-     provide it as a servlet request attribute.
-     The change is compatible with existing AJP13, because we forward
-     the protocol name as a normal named attribute, not with a new
-     byte abbreviated attribute name.
-     trunk patch: http://svn.apache.org/r1661067
-     2.4.x patch: trunk works (modulo CHANGES)
-     +1: rjung, ylavic, covener
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h
index 814ab0a275e..c119a7ee64f 100644
--- a/modules/proxy/ajp.h
+++ b/modules/proxy/ajp.h
@@ -60,6 +60,7 @@
 
 /* The following environment variables match mod_ssl! */
 #define AJP13_HTTPS_INDICATOR           "HTTPS"
+#define AJP13_SSL_PROTOCOL_INDICATOR    "SSL_PROTOCOL"
 #define AJP13_SSL_CLIENT_CERT_INDICATOR "SSL_CLIENT_CERT"
 #define AJP13_SSL_CIPHER_INDICATOR      "SSL_CIPHER"
 #define AJP13_SSL_SESSION_INDICATOR     "SSL_SESSION_ID"
diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
index 8f9a2fcd3de..edb9d23cac9 100644
--- a/modules/proxy/ajp_header.c
+++ b/modules/proxy/ajp_header.c
@@ -415,6 +415,26 @@ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg,
             return AJP_EOVERFLOW;
         }
     }
+    /* Forward the SSL protocol name.
+     * Modern Tomcat versions know how to retrieve
+     * the protocol name from this attribute.
+     */
+    if (is_ssl) {
+        if ((envvar = ap_proxy_ssl_val(r->pool, r->server, r->connection, r,
+                                       AJP13_SSL_PROTOCOL_INDICATOR))
+            && envvar[0]) {
+            const char *key = SC_A_SSL_PROTOCOL;
+            if (ajp_msg_append_uint8(msg, SC_A_REQ_ATTRIBUTE) ||
+                ajp_msg_append_string(msg, key)   ||
+                ajp_msg_append_string(msg, envvar)) {
+                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02830)
+                        "ajp_marshal_into_msgb: "
+                        "Error appending attribute %s=%s",
+                        key, envvar);
+                return AJP_EOVERFLOW;
+            }
+        }
+    }
     /* Forward the remote port information, which was forgotten
      * from the builtin data of the AJP 13 protocol.
      * Since the servlet spec allows to retrieve it via getRemotePort(),
diff --git a/modules/proxy/ajp_header.h b/modules/proxy/ajp_header.h
index 0f5fdaa81ea..4c22ac7c610 100644
--- a/modules/proxy/ajp_header.h
+++ b/modules/proxy/ajp_header.h
@@ -47,6 +47,11 @@
 /*
  * AJP private request attributes
  *
+ * The following request attribute is recognized by Tomcat
+ * to contain the SSL protocol name
+ */
+#define SC_A_SSL_PROTOCOL        ("AJP_SSL_PROTOCOL")
+/*
  * The following request attribute is recognized by Tomcat
  * to contain the forwarded remote port.
  */