From: Jim Jagielski Date: Thu, 3 Mar 2016 15:09:32 +0000 (+0000) Subject: Merge r1729826, r1729847, r1732986, r1733056 from trunk: X-Git-Tag: 2.4.19~106 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4151e6d215cb4e92a05055c79f74826ab754251f;p=thirdparty%2Fapache%2Fhttpd.git Merge r1729826, r1729847, r1732986, r1733056 from trunk: mod_proxy: Play/restore the TLS-SNI on new backend connections which had to be issued because the remote closed the previous/reusable one during idle (keep-alive) time. mod_proxy: follow up to r1729826: really copy conn->ssl_hostname. mod_proxy: follow up to r1729826 + r1729847. Adjust stacked ssl_hostname maximum size. mod_proxy: follow up to r1729826 + r1729847 + r1732986. Don't use magic constants. Submitted by: ylavic Reviewed/backported by: jim git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1733474 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index ad38a9d8904..04c16cd6c7d 100644 --- a/CHANGES +++ b/CHANGES @@ -78,6 +78,10 @@ Changes with Apache 2.4.19 *) mod_ssl: Add SSLOCSPProxyURL to add the possibility to do all queries to OCSP responders through a HTTP proxy. [Ruediger Pluem] + *) mod_proxy: Play/restore the TLS-SNI on new backend connections which + had to be issued because the remote closed the previous/reusable one + during idle (keep-alive) time. [Yann Ylavic] + *) mod_cache_socache: Fix a possible cached entity body corruption when it is received from an origin server in multiple batches and forwarded by mod_proxy. [Yann Ylavic] diff --git a/STATUS b/STATUS index 156b0252866..cd2f18907b1 100644 --- a/STATUS +++ b/STATUS @@ -112,16 +112,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_proxy: Play/restore the TLS-SNI on new backend connections which - had to be issued because the remote closed the previous/reusable one - during idle (keep-alive) time. - trunk patch: http://svn.apache.org/r1729826 - http://svn.apache.org/r1729847 - http://svn.apache.org/r1732986 - http://svn.apache.org/r1733056 - 2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-mod_proxy-SNI_reuse-v2.patch - +1: ylavic, icing, jim - * prefork: Fix crash in ap_mpm_pod_check call caused by NULL dereference of its parameter when starting httpd as single process (httpd -X). trunk patch: http://svn.apache.org/r1711479 diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h index d564277696b..72dab333a64 100644 --- a/modules/proxy/mod_proxy.h +++ b/modules/proxy/mod_proxy.h @@ -323,6 +323,11 @@ PROXY_WORKER_DISABLED | PROXY_WORKER_STOPPED | PROXY_WORKER_IN_ERROR ) #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE #define PROXY_BALANCER_MAX_STICKY_SIZE 64 +/* RFC-1035 mentions limits of 255 for host-names and 253 for domain-names, + * dotted together(?) this would fit the below size (+ trailing NUL). + */ +#define PROXY_WORKER_RFC1035_NAME_SIZE 512 + #define PROXY_MAX_PROVIDER_NAME_SIZE 16 #define PROXY_STRNCPY(dst, src) ap_proxy_strncpy((dst), (src), (sizeof(dst))) diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c index e2f33c04de6..763073c19b6 100644 --- a/modules/proxy/proxy_util.c +++ b/modules/proxy/proxy_util.c @@ -2658,10 +2658,24 @@ PROXY_DECLARE(int) ap_proxy_connect_backend(const char *proxy_function, if (conn->sock) { if (!(connected = is_socket_connected(conn->sock))) { + /* This clears conn->scpool (and associated data), so backup and + * restore any ssl_hostname for this connection set earlier by + * ap_proxy_determine_connection(). + */ + char ssl_hostname[PROXY_WORKER_RFC1035_NAME_SIZE]; + if (!conn->ssl_hostname || PROXY_STRNCPY(ssl_hostname, + conn->ssl_hostname)) { + ssl_hostname[0] = '\0'; + } + socket_cleanup(conn); ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00951) "%s: backend socket is disconnected.", proxy_function); + + if (ssl_hostname[0]) { + conn->ssl_hostname = apr_pstrdup(conn->scpool, ssl_hostname); + } } } while ((backend_addr || conn->uds_path) && !connected) {