You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rj...@apache.org on 2013/02/12 11:54:42 UTC
svn commit: r1445100 - in /httpd/httpd/branches/2.2.x: ./ CHANGES STATUS
server/mpm_common.c
Author: rjung
Date: Tue Feb 12 10:54:42 2013
New Revision: 1445100
URL: http://svn.apache.org/r1445100
Log:
server/mpm_unix.c (dummy_connection): Use a TLS 1.0 close_notify
alert if the chosen listener is configured for https; not perfect
but better than sending an HTTP request. Adjust comments.
Backport of r1327036 and r1327080 from turnk,
resp. r1356884 from 2.4.x.
Submitted by: jorton
Reviewed by: covener, wrowe
Backported by: rjung
Modified:
httpd/httpd/branches/2.2.x/ (props changed)
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/server/mpm_common.c
Propchange: httpd/httpd/branches/2.2.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1327036,1327080
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1445100&r1=1445099&r2=1445100&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Tue Feb 12 10:54:42 2013
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.24
+ *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if
+ the chosen listener is configured for https. [Joe Orton]
+
*) mod_ssl: Add new directive SSLCompression to disable TLS-level
compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1445100&r1=1445099&r2=1445100&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Tue Feb 12 10:54:42 2013
@@ -120,16 +120,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
https://issues.apache.org/bugzilla/show_bug.cgi?id=53134#c10
by the patch author)
- * server/mpm_unix.c (dummy_connection): Use a TLS 1.0 close_notify
- alert if the chosen listener is configured for https; not perfect
- but better than sending an HTTP request. Adjust comments.
- Based on a patch from: Michael Weiser <michael weiser.dinsnail.net>
- trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1327036 and
- http://svn.apache.org/viewvc?view=revision&revision=1327080
- 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356884
- 2.2.x patch: http://people.apache.org/~rjung/patches/dummy_connection-https-tls-2_2.patch
- +1: rjung, covener, wrowe
-
* ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output
to more accurately report the negotiated protocol. PR 53916.
trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1395225
Modified: httpd/httpd/branches/2.2.x/server/mpm_common.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/mpm_common.c?rev=1445100&r1=1445099&r2=1445100&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/server/mpm_common.c (original)
+++ httpd/httpd/branches/2.2.x/server/mpm_common.c Tue Feb 12 10:54:42 2013
@@ -636,14 +636,14 @@ static apr_status_t pod_signal_internal(
return rv;
}
-/* This function connects to the server, then immediately closes the connection.
- * This permits the MPM to skip the poll when there is only one listening
- * socket, because it provides a alternate way to unblock an accept() when
- * the pod is used.
- */
+/* This function connects to the server and sends enough data to
+ * ensure the child wakes up and processes a new connection. This
+ * permits the MPM to skip the poll when there is only one listening
+ * socket, because it provides a alternate way to unblock an accept()
+ * when the pod is used. */
static apr_status_t dummy_connection(ap_pod_t *pod)
{
- char *srequest;
+ const char *data;
apr_status_t rv;
apr_socket_t *sock;
apr_pool_t *p;
@@ -697,24 +697,38 @@ static apr_status_t dummy_connection(ap_
return rv;
}
- /* Create the request string. We include a User-Agent so that
- * adminstrators can track down the cause of the odd-looking
- * requests in their logs.
- */
- srequest = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ",
+ if (lp->protocol && strcasecmp(lp->protocol, "https") == 0) {
+ /* Send a TLS 1.0 close_notify alert. This is perhaps the
+ * "least wrong" way to open and cleanly terminate an SSL
+ * connection. It should "work" without noisy error logs if
+ * the server actually expects SSLv3/TLSv1. With
+ * SSLv23_server_method() OpenSSL's SSL_accept() fails
+ * ungracefully on receipt of this message, since it requires
+ * an 11-byte ClientHello message and this is too short. */
+ static const unsigned char tls10_close_notify[7] = {
+ '\x15', /* TLSPlainText.type = Alert (21) */
+ '\x03', '\x01', /* TLSPlainText.version = {3, 1} */
+ '\x00', '\x02', /* TLSPlainText.length = 2 */
+ '\x01', /* Alert.level = warning (1) */
+ '\x00' /* Alert.description = close_notify (0) */
+ };
+ data = (const char *)tls10_close_notify;
+ len = sizeof(tls10_close_notify);
+ }
+ else /* ... XXX other request types here? */ {
+ /* Create an HTTP request string. We include a User-Agent so
+ * that adminstrators can track down the cause of the
+ * odd-looking requests in their logs. A complete request is
+ * used since kernel-level filtering may require that much
+ * data before returning from accept(). */
+ data = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ",
ap_get_server_banner(),
" (internal dummy connection)\r\n\r\n", NULL);
+ len = strlen(data);
+ }
- /* Since some operating systems support buffering of data or entire
- * requests in the kernel, we send a simple request, to make sure
- * the server pops out of a blocking accept().
- */
- /* XXX: This is HTTP specific. We should look at the Protocol for each
- * listener, and send the correct type of request to trigger any Accept
- * Filters.
- */
len = strlen(srequest);
- apr_socket_send(sock, srequest, &len);
+ apr_socket_send(sock, data, &len);
apr_socket_close(sock);
apr_pool_destroy(p);
Re: svn commit: r1445100 - in /httpd/httpd/branches/2.2.x: ./ CHANGES
STATUS server/mpm_common.c
Posted by Eric Covener <co...@gmail.com>.
On Sat, Feb 16, 2013 at 5:51 PM, Rainer Jung <ra...@kippdata.de> wrote:
> On 16.02.2013 18:17, Eric Covener wrote:
>> On Tue, Feb 12, 2013 at 5:54 AM, <rj...@apache.org> wrote:
>>> + if (lp->protocol && strcasecmp(lp->protocol, "https") == 0) {
>>
>> Should this be ap_listeners? There is no local "lp" in my 2.2.x and
>> currently does not build (but I also just recently did a migration on
>> my system and somethings are flaky)
>
> You are totally right. I did build but did not notice, that the whole
> block is not being compiled when using the worker MPM, which I did.
I think the same MPM difference got me between original review and now
-- thanks for that hint.
Re: svn commit: r1445100 - in /httpd/httpd/branches/2.2.x: ./ CHANGES
STATUS server/mpm_common.c
Posted by Rainer Jung <ra...@kippdata.de>.
On 16.02.2013 18:17, Eric Covener wrote:
> On Tue, Feb 12, 2013 at 5:54 AM, <rj...@apache.org> wrote:
>> + if (lp->protocol && strcasecmp(lp->protocol, "https") == 0) {
>
> Should this be ap_listeners? There is no local "lp" in my 2.2.x and
> currently does not build (but I also just recently did a migration on
> my system and somethings are flaky)
You are totally right. I did build but did not notice, that the whole
block is not being compiled when using the worker MPM, which I did.
Double checked and yes, "ap_listeners" is right. Committed in r1446972,
now compiles also with prefork MPM.
Thanks!
Rainer
Re: svn commit: r1445100 - in /httpd/httpd/branches/2.2.x: ./ CHANGES
STATUS server/mpm_common.c
Posted by Eric Covener <co...@gmail.com>.
On Tue, Feb 12, 2013 at 5:54 AM, <rj...@apache.org> wrote:
> + if (lp->protocol && strcasecmp(lp->protocol, "https") == 0) {
Should this be ap_listeners? There is no local "lp" in my 2.2.x and
currently does not build (but I also just recently did a migration on
my system and somethings are flaky)