You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2019/01/24 15:21:05 UTC
svn commit: r1852037 - in /httpd/httpd/trunk: CHANGES
modules/http2/h2_conn.c modules/http2/h2_mplx.c modules/http2/h2_task.c
modules/ssl/ssl_engine_kernel.c
Author: icing
Date: Thu Jan 24 15:21:04 2019
New Revision: 1852037
URL: http://svn.apache.org/viewvc?rev=1852037&view=rev
Log:
reverting last change
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/http2/h2_conn.c
httpd/httpd/trunk/modules/http2/h2_mplx.c
httpd/httpd/trunk/modules/http2/h2_task.c
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1852037&r1=1852036&r2=1852037&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Thu Jan 24 15:21:04 2019
@@ -1,8 +1,6 @@
-*- coding: utf-8 -*-
Changes with Apache 2.5.1
- *) mod_http2: enable re-use of slave connections again. [Stefan Eissing]
-
*) mod_proxy_wstunnel: Fix websocket proxy over UDS.
PR 62932 <pavel dcmsys.com>
Modified: httpd/httpd/trunk/modules/http2/h2_conn.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_conn.c?rev=1852037&r1=1852036&r2=1852037&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_conn.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_conn.c Thu Jan 24 15:21:04 2019
@@ -370,16 +370,17 @@ apr_status_t h2_slave_run_pre_connection
* (Not necessarily in pre_connection, but later. Set it here, so it
* is in place.) */
slave->keepalives = 1;
+ /* We signal that this connection will be closed after the request.
+ * Which is true in that sense that we throw away all traffic data
+ * on this slave connection after each requests. Although we might
+ * reuse internal structures like memory pools.
+ * The wanted effect of this is that httpd does not try to clean up
+ * any dangling data on this connection when a request is done. Which
+ * is unneccessary on a h2 stream.
+ */
+ slave->keepalive = AP_CONN_CLOSE;
+ return ap_run_pre_connection(slave, csd);
}
- /* We signal that this connection will be closed after the request.
- * Which is true in that sense that we throw away all traffic data
- * on this slave connection after each requests. Although we might
- * reuse internal structures like memory pools.
- * The wanted effect of this is that httpd does not try to clean up
- * any dangling data on this connection when a request is done. Which
- * is unneccessary on a h2 stream.
- */
- slave->keepalive = AP_CONN_CLOSE;
- return ap_run_pre_connection(slave, csd);
+ return APR_SUCCESS;
}
Modified: httpd/httpd/trunk/modules/http2/h2_mplx.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_mplx.c?rev=1852037&r1=1852036&r2=1852037&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_mplx.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_mplx.c Thu Jan 24 15:21:04 2019
@@ -327,8 +327,7 @@ static int stream_destroy_iter(void *ctx
&& !task->rst_error);
}
- task->c = NULL;
- if (reuse_slave) {
+ if (reuse_slave && slave->keepalive == AP_CONN_KEEPALIVE) {
h2_beam_log(task->output.beam, m->c, APLOG_DEBUG,
APLOGNO(03385) "h2_task_destroy, reuse slave");
h2_task_destroy(task);
Modified: httpd/httpd/trunk/modules/http2/h2_task.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_task.c?rev=1852037&r1=1852036&r2=1852037&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_task.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_task.c Thu Jan 24 15:21:04 2019
@@ -545,6 +545,7 @@ h2_task *h2_task_create(conn_rec *slave,
void h2_task_destroy(h2_task *task)
{
if (task->output.beam) {
+ h2_beam_log(task->output.beam, task->c, APLOG_TRACE2, "task_destroy");
h2_beam_destroy(task->output.beam);
task->output.beam = NULL;
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1852037&r1=1852036&r2=1852037&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Thu Jan 24 15:21:04 2019
@@ -2308,37 +2308,6 @@ void ssl_callback_Info(const SSL *ssl, i
}
#ifdef HAVE_TLSEXT
-
-static apr_status_t set_challenge_creds(conn_rec *c, const char *servername,
- SSL *ssl, X509 *cert, EVP_PKEY *key)
-{
- SSLConnRec *sslcon = myConnConfig(c);
-
- sslcon->service_unavailable = 1;
- if ((SSL_use_certificate(ssl, cert) < 1)) {
- ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086)
- "Failed to configure challenge certificate %s",
- servername);
- return APR_EGENERAL;
- }
-
- if (!SSL_use_PrivateKey(ssl, key)) {
- ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10087)
- "error '%s' using Challenge key: %s",
- ERR_error_string(ERR_peek_last_error(), NULL),
- servername);
- return APR_EGENERAL;
- }
-
- if (SSL_check_private_key(ssl) < 1) {
- ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088)
- "Challenge certificate and private key %s "
- "do not match", servername);
- return APR_EGENERAL;
- }
- return APR_SUCCESS;
-}
-
/*
* This function sets the virtual host from an extended
* client hello with a server name indication extension ("SNI", cf. RFC 6066).
@@ -2368,12 +2337,30 @@ static apr_status_t init_vhost(conn_rec
return APR_SUCCESS;
}
else if (ssl_is_challenge(c, servername, &cert, &key)) {
- /* With ACMEv1 we can have challenge connections to a unknown domains
- * that need to be answered with a special certificate and will
- * otherwise not answer any requests. */
- if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
+
+ sslcon->service_unavailable = 1;
+ if ((SSL_use_certificate(ssl, cert) < 1)) {
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086)
+ "Failed to configure challenge certificate %s",
+ servername);
return APR_EGENERAL;
}
+
+ if (!SSL_use_PrivateKey(ssl, key)) {
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10087)
+ "error '%s' using Challenge key: %s",
+ ERR_error_string(ERR_peek_last_error(), NULL),
+ servername);
+ return APR_EGENERAL;
+ }
+
+ if (SSL_check_private_key(ssl) < 1) {
+ ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088)
+ "Challenge certificate and private key %s "
+ "do not match", servername);
+ return APR_EGENERAL;
+ }
+
}
else {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
@@ -2666,23 +2653,6 @@ int ssl_callback_alpn_select(SSL *ssl,
proposed);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
-
- /* protocol was switched, this could be a challenge protocol such as "acme-tls/1".
- * For that to work, we need to allow overrides to our ssl certificate.
- * However, exclude challenge checks on our best known traffic protocol.
- * (http/1.1 is the default, we never switch to it anyway.)
- */
- if (strcmp("h2", proposed)) {
- const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
- X509 *cert;
- EVP_PKEY *key;
-
- if (ssl_is_challenge(c, servername, &cert, &key)) {
- if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
- return SSL_TLSEXT_ERR_ALERT_FATAL;
- }
- }
- }
}
return SSL_TLSEXT_ERR_OK;