From: Rainer Jung <rjung@apache.org>
Date: Thu, 16 May 2019 12:52:29 +0000 (+0000)
Subject: mod_proxy/ssl: Proxy SSL client certificate
X-Git-Tag: 2.5.0-alpha2-ci-test-only~2057
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db74637563b2bab8f165ee8bc779ff0808d58116;p=thirdparty%2Fapache%2Fhttpd.git

mod_proxy/ssl: Proxy SSL client certificate
configuration and other proxy SSL configurations
broken inside <Proxy> context.
PR 63430
Triggered by r1855646+r1855748.
Patch from rpluem (proxy) and ylavic (ssl).


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1859371 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 8457ee754d2..5ead401111b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
+     SSL configurations broken inside <Proxy> context.  PR 63430.
+     [Ruediger Pluem, Yann Ylavic]
+
   *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
      PR 63325. [Yann Ylavic]
 
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index 4dfdfd1672f..f948d14f830 100644
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -2107,13 +2107,10 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
         }
 
         /* Step Three: Create conn_rec */
+        if ((status = ap_proxy_connection_create_ex(proxy_function,
+                                                    backend, r)) != OK)
+            break;
         req->origin = backend->connection;
-        if (!req->origin) {
-            if ((status = ap_proxy_connection_create_ex(proxy_function,
-                                                        backend, r)) != OK)
-                break;
-            req->origin = backend->connection;
-        }
 
         /* Don't recycle the connection if prefetch (above) told not to do so */
         if (toclose) {
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index fa7aa067f78..feec875f146 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -492,10 +492,20 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
     SSLConnRec *sslconn = myConnConfig(c);
     int need_setup = 0;
 
+    /* mod_proxy's (r->)per_dir_config has the lifetime of the request, thus
+     * it uses ssl_engine_set() to reset sslconn->dc when reusing SSL backend
+     * connections, so we must fall through here. But in the case where we are
+     * called from ssl_init_ssl_connection() with no per_dir_config (which also
+     * includes mod_proxy's later run_pre_connection call), sslconn->dc should
+     * be preserved if it's already set.
+     */
     if (!sslconn) {
         sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
         need_setup = 1;
     }
+    else if (!new_proxy) {
+        return sslconn;
+    }
 
     /* Reinit dc in any case because it may be r->per_dir_config scoped
      * and thus a caller like mod_proxy needs to update it per request.