You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@httpd.apache.org by GitBox <gi...@apache.org> on 2021/07/06 12:29:03 UTC

[GitHub] [httpd] icing opened a new pull request #204: improve proxy alpn check

icing opened a new pull request #204:
URL: https://github.com/apache/httpd/pull/204


   r1890696
   r1890693
   
     *) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
        connections. If ALPN protocols are provided and sent to the
        remote server, the received protocol selected is inspected
        and checked for a match. Without match, the peer handshake
        fails.
        An exception is the proposal of "http/1.1" where it is
        accepted if the remote server did not answer ALPN with
        a selected protocol. This accomodates for hosts that do
        not observe/support ALPN and speak http/1.x be default.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org
For additional commands, e-mail: notifications-help@httpd.apache.org

[GitHub] [httpd] rpluem commented on a change in pull request #204: improve proxy alpn check

Posted by GitBox <gi...@apache.org>.

rpluem commented on a change in pull request #204:
URL: https://github.com/apache/httpd/pull/204#discussion_r665343546



##########
File path: modules/ssl/ssl_engine_io.c
##########
@@ -1220,6 +1234,8 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
                 ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(03310)
                               "error setting alpn protos from '%s'", alpn_note);
                 ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
+                /* If ALPN was requested and we cannot do it, we must fail */
+                return MODSSL_ERROR_BAD_GATEWAY;

Review comment:
       Don't we need to increase `APLOG_WARNING` to `APLOG_ERROR` in `ap_log_cerror` and `ssl_log_ssl_error` above then?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org
For additional commands, e-mail: notifications-help@httpd.apache.org