[Bug 62232] AH01962: Unable to create a new SSL connection from the SSL context for proxy connections when using SSLRequire

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=62232

--- Comment #15 from Rainer Jung <ra...@kippdata.de> ---
Partial problem analysis, all happening in the child:

First during startup:

- initialises proxy->ssl_ctx in ssl_init_proxy_ctx()
- ssl_init_ConfigureServer sets proxy_post_config=1


and then during request handling

- calling ssl_init_connection_ctx without perdir
- a new perdir ssl config is merged on top of the config set up during startup,
the result now has ssl_ctx == NULL

I thought about adding ssl_ctx to the fields to merge in the perdir merging
(using the one from add if set and otherwise the one from base). But that could
be wrong, because the perdir merging also merges pkp settings which in the end
result can be a mixture of base and add settings, so the ssl_ctx seems to need
a fresh creation for the end result. On the other hand it seems that no
SSLProxy settings are allowed in non-<Proxy> perdir.

So the following minimal patch works for my reproduction case, but I wonder
whether that is really correct, ie. whether the ssl_ctx really has the right
config:

--- modules/ssl/ssl_engine_config.c 2018-02-16 12:16:46.700863000 +0100
+++ modules/ssl/ssl_engine_config.c 2018-04-01 02:35:36.251855000 +0200
@@ -465,6 +465,7 @@
     cfgMergeString(pkp->cert_file);
     cfgMergeString(pkp->cert_path);
     cfgMergeString(pkp->ca_cert_file);
+    cfgMerge(ssl_ctx, NULL);
 }

 void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org