You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2011/02/11 13:30:21 UTC
svn commit: r1069773 - in /httpd/httpd/branches/2.2.x: CHANGES STATUS
modules/proxy/mod_proxy_http.c modules/ssl/ssl_engine_io.c
Author: rpluem
Date: Fri Feb 11 12:30:21 2011
New Revision: 1069773
URL: http://svn.apache.org/viewvc?rev=1069773&view=rev
Log:
Merge r1039304, r1053584 from trunk:
* Put a note in the connection notes that the SSL handshake to the backend
failed such that mod_proxy can put the worker in error state.
PR: 50332
Submitted by: Daniel Ruggeri <DRuggeri primary.net>
Reviewed by: rpluem
* Fix r1039304 and make the patch similar to the one proposed for
2.2.x: If the SSL handshake to the backend fails we cannot even
sent an HTTP request. So the check needs to happen already when
we sent data not when we receive data.
Reviewed by: rpluem, jim, wrowe
Modified:
httpd/httpd/branches/2.2.x/CHANGES
httpd/httpd/branches/2.2.x/STATUS
httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c
httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1069773&r1=1069772&r2=1069773&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Fri Feb 11 12:30:21 2011
@@ -1,6 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache 2.2.18
+ *) mod_proxy: Put the worker in error state if the SSL handshake with the
+ backend fails. PR 50332.
+ [Daniel Ruggeri <DRuggeri primary.net>, Ruediger Pluem]
+
*) prefork: Update MPM state in children during a graceful restart.
Allow the HTTP connection handling loop to terminate early
during a graceful restart. PR 41743.
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1069773&r1=1069772&r2=1069773&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Feb 11 12:30:21 2011
@@ -102,15 +102,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
enabling/disabling the basic capability is not split out into mod_unixd 2.2.x.
+1: trawick, covener, wrowe
- * mod_proxy_http: Become aware of ssl handshake failures when attempting
- to pass request. Makes it so workers are put in error state when a
- handshake failure is encountered.
- PR50332
- Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1039304
- http://svn.apache.org/viewvc?view=revision&revision=1053584
- 2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=26450
- +1: rpluem, jim, wrowe
-
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
Modified: httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c?rev=1069773&r1=1069772&r2=1069773&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c (original)
+++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c Fri Feb 11 12:30:21 2011
@@ -271,10 +271,16 @@ static int pass_brigade(apr_bucket_alloc
ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server,
"proxy: pass request body failed to %pI (%s)",
conn->addr, conn->hostname);
- if (origin->aborted) {
+ if (origin->aborted) {
+ if (strcmp(apr_table_get(origin->notes,
+ "SSL_connect_rv"), "err") == 0) {
+ return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR,
+ "Error during SSL Handshake with"
+ " remote server");
+ }
return APR_STATUS_IS_TIMEUP(status) ? HTTP_GATEWAY_TIME_OUT : HTTP_BAD_GATEWAY;
}
- else {
+ else {
return HTTP_BAD_REQUEST;
}
}
Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=1069773&r1=1069772&r2=1069773&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c Fri Feb 11 12:30:21 2011
@@ -1069,6 +1069,7 @@ static int ssl_io_filter_connect(ssl_fil
ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
@@ -1086,6 +1087,7 @@ static int ssl_io_filter_connect(ssl_fil
}
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
X509_free(cert);
@@ -1105,10 +1107,12 @@ static int ssl_io_filter_connect(ssl_fil
hostname, hostname_note);
/* ensure that the SSL structures etc are freed, etc: */
ssl_filter_io_shutdown(filter_ctx, c, 1);
+ apr_table_set(c->notes, "SSL_connect_rv", "err");
return HTTP_BAD_GATEWAY;
}
}
+ apr_table_set(c->notes, "SSL_connect_rv", "ok");
return APR_SUCCESS;
}