You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ja...@apache.org on 2015/02/27 07:18:31 UTC
svn commit: r1662640 - in /httpd/httpd/branches/2.4.x: CHANGES
modules/ssl/ssl_engine_kernel.c
Author: jailletc36
Date: Fri Feb 27 06:18:31 2015
New Revision: 1662640
URL: http://svn.apache.org/r1662640
Log:
Merge r1644498 from trunk
* mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
(segfault flaw) PR 57334.
Submitted by: ylavic
Reviewed by: ylavic, wrowe, minfrin
Backported by: jailletc36
Modified:
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1662640&r1=1662639&r2=1662640&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Feb 27 06:18:31 2015
@@ -2,6 +2,9 @@
Changes with Apache 2.4.13
+ *) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
+ PR 57334. [Yann Ylavic].
+
*) mod_proxy_ajp: Forward SSL protocol name (SSLv3, TLSv1.1 etc.) as a
request attribute to the backend. Recent Tomcat versions will extract
it and provide it as a servlet request attribute named
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1662640&r1=1662639&r2=1662640&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Fri Feb 27 06:18:31 2015
@@ -80,7 +80,8 @@ static apr_status_t upgrade_connection(r
if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
- "TLS upgrade handshake failed: not accepted by client!?");
+ "TLS upgrade handshake failed");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
return APR_ECONNABORTED;
}
@@ -314,6 +315,16 @@ int ssl_hook_Access(request_rec *r)
int depth, verify_old, verify, n;
if (ssl) {
+ /*
+ * We should have handshaken here (on handshakeserver),
+ * otherwise we are being redirected (ErrorDocument) from
+ * a renegotiation failure below. The access is still
+ * forbidden in the latter case, let ap_die() handle
+ * this recursive (same) error.
+ */
+ if (SSL_get_state(ssl) != SSL_ST_OK) {
+ return HTTP_FORBIDDEN;
+ }
ctx = SSL_get_SSL_CTX(ssl);
}
@@ -828,8 +839,8 @@ int ssl_hook_Access(request_rec *r)
if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
- "Re-negotiation handshake failed: "
- "Not accepted by client!?");
+ "Re-negotiation handshake failed");
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
r->connection->keepalive = AP_CONN_CLOSE;
return HTTP_FORBIDDEN;