From: Ruediger Pluem Date: Fri, 11 Feb 2011 12:30:21 +0000 (+0000) Subject: Merge r1039304, r1053584 from trunk: X-Git-Tag: 2.2.18~137 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=293dc565b626adf8ea1a8f24e1185744dc12d0d6;p=thirdparty%2Fapache%2Fhttpd.git Merge r1039304, r1053584 from trunk: * Put a note in the connection notes that the SSL handshake to the backend failed such that mod_proxy can put the worker in error state. PR: 50332 Submitted by: Daniel Ruggeri Reviewed by: rpluem * Fix r1039304 and make the patch similar to the one proposed for 2.2.x: If the SSL handshake to the backend fails we cannot even sent an HTTP request. So the check needs to happen already when we sent data not when we receive data. Reviewed by: rpluem, jim, wrowe git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1069773 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 55cf53c8fbe..39fd0d9d876 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.18 + *) mod_proxy: Put the worker in error state if the SSL handshake with the + backend fails. PR 50332. + [Daniel Ruggeri , Ruediger Pluem] + *) prefork: Update MPM state in children during a graceful restart. Allow the HTTP connection handling loop to terminate early during a graceful restart. PR 41743. diff --git a/STATUS b/STATUS index 50b61b6f267..ca1995377ad 100644 --- a/STATUS +++ b/STATUS @@ -102,15 +102,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: enabling/disabling the basic capability is not split out into mod_unixd 2.2.x. +1: trawick, covener, wrowe - * mod_proxy_http: Become aware of ssl handshake failures when attempting - to pass request. Makes it so workers are put in error state when a - handshake failure is encountered. - PR50332 - Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1039304 - http://svn.apache.org/viewvc?view=revision&revision=1053584 - 2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26450 - +1: rpluem, jim, wrowe - PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c index e0a8ae11168..359e40fc06b 100644 --- a/modules/proxy/mod_proxy_http.c +++ b/modules/proxy/mod_proxy_http.c @@ -271,10 +271,16 @@ static int pass_brigade(apr_bucket_alloc_t *bucket_alloc, ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server, "proxy: pass request body failed to %pI (%s)", conn->addr, conn->hostname); - if (origin->aborted) { + if (origin->aborted) { + if (strcmp(apr_table_get(origin->notes, + "SSL_connect_rv"), "err") == 0) { + return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR, + "Error during SSL Handshake with" + " remote server"); + } return APR_STATUS_IS_TIMEUP(status) ? HTTP_GATEWAY_TIME_OUT : HTTP_BAD_GATEWAY; } - else { + else { return HTTP_BAD_REQUEST; } } diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index da9a8229415..e2d33909d1e 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1069,6 +1069,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx) ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server); /* ensure that the SSL structures etc are freed, etc: */ ssl_filter_io_shutdown(filter_ctx, c, 1); + apr_table_set(c->notes, "SSL_connect_rv", "err"); return HTTP_BAD_GATEWAY; } @@ -1086,6 +1087,7 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx) } /* ensure that the SSL structures etc are freed, etc: */ ssl_filter_io_shutdown(filter_ctx, c, 1); + apr_table_set(c->notes, "SSL_connect_rv", "err"); return HTTP_BAD_GATEWAY; } X509_free(cert); @@ -1105,10 +1107,12 @@ static int ssl_io_filter_connect(ssl_filter_ctx_t *filter_ctx) hostname, hostname_note); /* ensure that the SSL structures etc are freed, etc: */ ssl_filter_io_shutdown(filter_ctx, c, 1); + apr_table_set(c->notes, "SSL_connect_rv", "err"); return HTTP_BAD_GATEWAY; } } + apr_table_set(c->notes, "SSL_connect_rv", "ok"); return APR_SUCCESS; }