From 7858348b31694e4e7b6d045465a4b92a21c5736e Mon Sep 17 00:00:00 2001 From: Rainer Jung Date: Tue, 12 Feb 2013 10:54:42 +0000 Subject: [PATCH] server/mpm_unix.c (dummy_connection): Use a TLS 1.0 close_notify alert if the chosen listener is configured for https; not perfect but better than sending an HTTP request. Adjust comments. Backport of r1327036 and r1327080 from turnk, resp. r1356884 from 2.4.x. Submitted by: jorton Reviewed by: covener, wrowe Backported by: rjung git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1445100 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 3 +++ STATUS | 10 --------- server/mpm_common.c | 54 ++++++++++++++++++++++++++++----------------- 3 files changed, 37 insertions(+), 30 deletions(-) diff --git a/CHANGES b/CHANGES index c447c43502c..c618ed7f115 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.24 + *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if + the chosen listener is configured for https. [Joe Orton] + *) mod_ssl: Add new directive SSLCompression to disable TLS-level compression. PR 53219. [Björn Jacke , Stefan Fritsch] diff --git a/STATUS b/STATUS index a5146bf8051..dc3eb5903ef 100644 --- a/STATUS +++ b/STATUS @@ -120,16 +120,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: https://issues.apache.org/bugzilla/show_bug.cgi?id=53134#c10 by the patch author) - * server/mpm_unix.c (dummy_connection): Use a TLS 1.0 close_notify - alert if the chosen listener is configured for https; not perfect - but better than sending an HTTP request. Adjust comments. - Based on a patch from: Michael Weiser - trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1327036 and - http://svn.apache.org/viewvc?view=revision&revision=1327080 - 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356884 - 2.2.x patch: http://people.apache.org/~rjung/patches/dummy_connection-https-tls-2_2.patch - +1: rjung, covener, wrowe - * ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output to more accurately report the negotiated protocol. PR 53916. trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1395225 diff --git a/server/mpm_common.c b/server/mpm_common.c index eb59407f14a..402ae7f0372 100644 --- a/server/mpm_common.c +++ b/server/mpm_common.c @@ -636,14 +636,14 @@ static apr_status_t pod_signal_internal(ap_pod_t *pod) return rv; } -/* This function connects to the server, then immediately closes the connection. - * This permits the MPM to skip the poll when there is only one listening - * socket, because it provides a alternate way to unblock an accept() when - * the pod is used. - */ +/* This function connects to the server and sends enough data to + * ensure the child wakes up and processes a new connection. This + * permits the MPM to skip the poll when there is only one listening + * socket, because it provides a alternate way to unblock an accept() + * when the pod is used. */ static apr_status_t dummy_connection(ap_pod_t *pod) { - char *srequest; + const char *data; apr_status_t rv; apr_socket_t *sock; apr_pool_t *p; @@ -697,24 +697,38 @@ static apr_status_t dummy_connection(ap_pod_t *pod) return rv; } - /* Create the request string. We include a User-Agent so that - * adminstrators can track down the cause of the odd-looking - * requests in their logs. - */ - srequest = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ", + if (lp->protocol && strcasecmp(lp->protocol, "https") == 0) { + /* Send a TLS 1.0 close_notify alert. This is perhaps the + * "least wrong" way to open and cleanly terminate an SSL + * connection. It should "work" without noisy error logs if + * the server actually expects SSLv3/TLSv1. With + * SSLv23_server_method() OpenSSL's SSL_accept() fails + * ungracefully on receipt of this message, since it requires + * an 11-byte ClientHello message and this is too short. */ + static const unsigned char tls10_close_notify[7] = { + '\x15', /* TLSPlainText.type = Alert (21) */ + '\x03', '\x01', /* TLSPlainText.version = {3, 1} */ + '\x00', '\x02', /* TLSPlainText.length = 2 */ + '\x01', /* Alert.level = warning (1) */ + '\x00' /* Alert.description = close_notify (0) */ + }; + data = (const char *)tls10_close_notify; + len = sizeof(tls10_close_notify); + } + else /* ... XXX other request types here? */ { + /* Create an HTTP request string. We include a User-Agent so + * that adminstrators can track down the cause of the + * odd-looking requests in their logs. A complete request is + * used since kernel-level filtering may require that much + * data before returning from accept(). */ + data = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ", ap_get_server_banner(), " (internal dummy connection)\r\n\r\n", NULL); + len = strlen(data); + } - /* Since some operating systems support buffering of data or entire - * requests in the kernel, we send a simple request, to make sure - * the server pops out of a blocking accept(). - */ - /* XXX: This is HTTP specific. We should look at the Protocol for each - * listener, and send the correct type of request to trigger any Accept - * Filters. - */ len = strlen(srequest); - apr_socket_send(sock, srequest, &len); + apr_socket_send(sock, data, &len); apr_socket_close(sock); apr_pool_destroy(p); -- 2.47.2