From: Stefan Eissing <icing@apache.org>
Date: Tue, 28 Jun 2016 13:36:22 +0000 (+0000)
Subject: mod_proxy_http2: detect TLS close notify on backend connection, patch by Yann Ylavic
X-Git-Tag: 2.4.23~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe4b963bb90ccdd847befff25916e43ee19d4795;p=thirdparty%2Fapache%2Fhttpd.git

mod_proxy_http2: detect TLS close notify on backend connection, patch by Yann Ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1750505 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
index 27a3a5a6727..df1d7811757 100644
--- a/modules/http2/mod_proxy_http2.c
+++ b/modules/http2/mod_proxy_http2.c
@@ -520,11 +520,20 @@ run_connect:
     }
 
     ctx->p_conn->is_ssl = ctx->is_ssl;
-    if (ctx->is_ssl) {
-        /* If there is still some data on an existing ssl connection, now
-         * would be a good timne to get rid of it. */
-        ap_proxy_ssl_connection_cleanup(ctx->p_conn, ctx->rbase);
-    }
+    if (ctx->is_ssl && ctx->p_conn->connection) {
+        /* If there are some metadata on the connection (e.g. TLS alert),
+         * let mod_ssl detect them, and create a new connection below.
+         */ 
+        apr_bucket_brigade *tmp_bb;
+        tmp_bb = apr_brigade_create(ctx->rbase->pool, 
+                                    ctx->rbase->connection->bucket_alloc);
+        status = ap_get_brigade(ctx->p_conn->connection->input_filters, tmp_bb,
+                                AP_MODE_SPECULATIVE, APR_NONBLOCK_READ, 1);
+        if (status != APR_SUCCESS && !APR_STATUS_IS_EAGAIN(status)) {
+            ctx->p_conn->close = 1;
+        }
+        apr_brigade_cleanup(tmp_bb);
+    }   
 
     /* Step One: Determine the URL to connect to (might be a proxy),
      * initialize the backend accordingly and determine the server