You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2021/09/09 15:22:23 UTC
svn commit: r1893182 - in /httpd/httpd/branches/2.4.x: ./ include/
modules/proxy/ modules/ssl/ server/
Author: icing
Date: Thu Sep 9 15:22:23 2021
New Revision: 1893182
URL: http://svn.apache.org/viewvc?rev=1893182&view=rev
Log:
Merge r1890605, r1893164, r1893179 from trunk:
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
*core: clarify comments and use hook API better to check for presence of callbacks.
* optimizing hook check as suggested by Yann.
Submitted by: icing
Reviewed by:
Github: closes #203
Modified:
httpd/httpd/branches/2.4.x/ (props changed)
httpd/httpd/branches/2.4.x/CHANGES
httpd/httpd/branches/2.4.x/include/ap_mmn.h
httpd/httpd/branches/2.4.x/include/http_ssl.h
httpd/httpd/branches/2.4.x/include/httpd.h
httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c
httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_hcheck.c
httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_http.c
httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c
httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c
httpd/httpd/branches/2.4.x/server/ssl.c
Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
Merged /httpd/httpd/trunk:r1890605,1893164,1893179
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Thu Sep 9 15:22:23 2021
@@ -1,6 +1,23 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.49
+ *) core/mod_proxy/mod_ssl:
+ Adding `outgoing` flag to conn_rec, indicating a connection is
+ initiated by the server to somewhere, in contrast to incoming
+ connections from clients.
+ Adding 'ap_ssl_bind_outgoing()` function that marks a connection
+ as outgoing and is used by mod_proxy instead of the previous
+ optional function `ssl_engine_set`. This enables other SSL
+ module to secure proxy connections.
+ The optional functions `ssl_engine_set`, `ssl_engine_disable` and
+ `ssl_proxy_enable` are now provided by the core to have backward
+ compatibility with non-httpd modules that might use them. mod_ssl
+ itself no longer registers these functions, but keeps them in its
+ header for backward compatibility.
+ The core provided optional function wrap any registered function
+ like it was done for `ssl_is_ssl`.
+ [Stefan Eissing]
+
*) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
Modified: httpd/httpd/branches/2.4.x/include/ap_mmn.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/ap_mmn.h?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/include/ap_mmn.h (original)
+++ httpd/httpd/branches/2.4.x/include/ap_mmn.h Thu Sep 9 15:22:23 2021
@@ -577,6 +577,7 @@
* 20120211.114 (2.4.49-dev) Add optional balancer_manage function.
* 20120211.115 (2.4.49-dev) Add ap_proxy_get_worker_ex() and
* ap_proxy_define_worker_ex() to mod_proxy.h
+ * 20120211.116 (2.4.49-dev) add conn_rec->outgoing and ap_ssl_bind_outgoing()
*/
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
@@ -584,7 +585,7 @@
#ifndef MODULE_MAGIC_NUMBER_MAJOR
#define MODULE_MAGIC_NUMBER_MAJOR 20120211
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 115 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 116 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
Modified: httpd/httpd/branches/2.4.x/include/http_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/http_ssl.h?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/include/http_ssl.h (original)
+++ httpd/httpd/branches/2.4.x/include/http_ssl.h Thu Sep 9 15:22:23 2021
@@ -34,6 +34,8 @@
extern "C" {
#endif
+struct ap_conf_vector_t;
+
/**
* This hook allows modules that manage SSL connection to register their
* inquiry function for checking if a connection is using SSL from them.
@@ -50,6 +52,41 @@ AP_DECLARE_HOOK(int,ssl_conn_is_ssl,(con
AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c);
/**
+ * This hook declares a connection to be outgoing and the configuration that applies to it.
+ * This hook can be called several times in the lifetime of an outgoing connection, e.g.
+ * when it is re-used in different request contexts. It will at least be called after the
+ * connection was created and before the pre-connection hooks is invoked.
+ * All outgoing-connection hooks are run until one returns something other than DECLINE.
+ * if enable_ssl != 0, a hook that sets up SSL for the connection needs to return OK
+ * to prevent subsequent hooks from doing the same.
+ *
+ * @param c The connection on which requests/data are to be sent.
+ * @param dir_conf The directory configuration in which this connection is being used.
+ * @param enable_ssl If != 0, the SSL protocol should be enabled for this connection.
+ * @return DECLINED, OK when ssl was enabled
+ */
+AP_DECLARE_HOOK(int, ssl_bind_outgoing,
+ (conn_rec *c, struct ap_conf_vector_t *dir_conf, int enable_ssl))
+
+/**
+ * Assures the connection is marked as outgoing and invokes the ssl_bind_outgoing hook.
+ * This may be called several times on an outgoing connection with varying dir_conf
+ * values. require_ssl is not allowed to change on the same connection.
+ *
+ * @param c The connection on which requests/data are to be sent.
+ * @param dir_conf The directory configuration in which this connection is being used.
+ * @param require_ssl != 0 iff this connection needs to be secured by SSL/TLS protocol.
+ * @return OK iff ssl was required and is enabled, DECLINED otherwise
+ */
+AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf,
+ int require_ssl);
+
+/**
+ * Return != 0 iff handlers/hooks for outgoing connections are registered.
+ */
+AP_DECLARE(int) ap_ssl_has_outgoing_handlers(void);
+
+/**
* This hook allows modules to look up SSL related variables for a
* server/connection/request, depending on what they inquire. Some
* variables will only be available for a connection/request, for example.
Modified: httpd/httpd/branches/2.4.x/include/httpd.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/include/httpd.h?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/include/httpd.h (original)
+++ httpd/httpd/branches/2.4.x/include/httpd.h Thu Sep 9 15:22:23 2021
@@ -1238,6 +1238,8 @@ struct conn_rec {
/** The "real" master connection. NULL if I am the master. */
conn_rec *master;
+
+ int outgoing;
};
/**
Modified: httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c (original)
+++ httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c Thu Sep 9 15:22:23 2021
@@ -3061,20 +3061,15 @@ PROXY_DECLARE(int) ap_proxy_ssl_enable(c
* if c == NULL just check if the optional function was imported
* else run the optional function so ssl filters are inserted
*/
- if (proxy_ssl_enable) {
- return c ? proxy_ssl_enable(c) : 1;
+ if (c == NULL) {
+ return ap_ssl_has_outgoing_handlers();
}
-
- return 0;
+ return ap_ssl_bind_outgoing(c, NULL, 1) == OK;
}
PROXY_DECLARE(int) ap_proxy_ssl_disable(conn_rec *c)
{
- if (proxy_ssl_disable) {
- return proxy_ssl_disable(c);
- }
-
- return 0;
+ return ap_ssl_bind_outgoing(c, NULL, 0) == OK;
}
PROXY_DECLARE(int) ap_proxy_ssl_engine(conn_rec *c,
@@ -3085,20 +3080,10 @@ PROXY_DECLARE(int) ap_proxy_ssl_engine(c
* if c == NULL just check if the optional function was imported
* else run the optional function so ssl filters are inserted
*/
- if (proxy_ssl_engine) {
- return c ? proxy_ssl_engine(c, per_dir_config, 1, enable) : 1;
+ if (c == NULL) {
+ return ap_ssl_has_outgoing_handlers();
}
-
- if (!per_dir_config) {
- if (enable) {
- return ap_proxy_ssl_enable(c);
- }
- else {
- return ap_proxy_ssl_disable(c);
- }
- }
-
- return 0;
+ return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK;
}
PROXY_DECLARE(int) ap_proxy_conn_is_https(conn_rec *c)
Modified: httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_hcheck.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_hcheck.c?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_hcheck.c (original)
+++ httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_hcheck.c Thu Sep 9 15:22:23 2021
@@ -20,6 +20,7 @@
#if APR_HAS_THREADS
#include "apr_thread_pool.h"
#endif
+#include "http_ssl.h"
module AP_MODULE_DECLARE_DATA proxy_hcheck_module;
@@ -603,7 +604,7 @@ static int hc_get_backend(const char *pr
(*backend)->addr = hc->cp->addr;
(*backend)->hostname = hc->s->hostname_ex;
if (strcmp(hc->s->scheme, "https") == 0 || strcmp(hc->s->scheme, "wss") == 0 ) {
- if (!ap_proxy_ssl_enable(NULL)) {
+ if (!ap_ssl_has_outgoing_handlers()) {
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, ctx->s, APLOGNO(03252)
"mod_ssl not configured?");
return !OK;
Modified: httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_http.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_http.c?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_http.c (original)
+++ httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy_http.c Thu Sep 9 15:22:23 2021
@@ -1867,7 +1867,7 @@ static int proxy_http_handler(request_re
"HTTP: declining URL %s", url);
return DECLINED; /* only interested in HTTP, WS or FTP via proxy */
}
- if (is_ssl && !ap_proxy_ssl_enable(NULL)) {
+ if (is_ssl && !ap_ssl_has_outgoing_handlers()) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01112)
"HTTP: declining URL %s (mod_ssl not configured?)", url);
return DECLINED;
Modified: httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/mod_ssl.c Thu Sep 9 15:22:23 2021
@@ -461,7 +461,7 @@ static int ssl_hook_pre_config(apr_pool_
static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
ap_conf_vector_t *per_dir_config,
- int new_proxy)
+ int reinit)
{
SSLConnRec *sslconn = myConnConfig(c);
int need_setup = 0;
@@ -477,7 +477,7 @@ static SSLConnRec *ssl_init_connection_c
sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
need_setup = 1;
}
- else if (!new_proxy) {
+ else if (!reinit) {
return sslconn;
}
@@ -495,8 +495,7 @@ static SSLConnRec *ssl_init_connection_c
if (need_setup) {
sslconn->server = c->base_server;
sslconn->verify_depth = UNSET;
- if (new_proxy) {
- sslconn->is_proxy = 1;
+ if (c->outgoing) {
sslconn->cipher_suite = sslconn->dc->proxy->auth.cipher_suite;
}
else {
@@ -516,10 +515,11 @@ static int ssl_engine_status(conn_rec *c
return DECLINED;
}
if (sslconn) {
+ /* This connection has already been configured. Check what applies. */
if (sslconn->disabled) {
return SUSPENDED;
}
- if (sslconn->is_proxy) {
+ if (c->outgoing) {
if (!sslconn->dc->proxy_enabled) {
return DECLINED;
}
@@ -531,53 +531,41 @@ static int ssl_engine_status(conn_rec *c
}
}
else {
- if (mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
+ /* we decline by default for outgoing connections and for incoming
+ * where the base_server is not enabled. */
+ if (c->outgoing || mySrvConfig(c->base_server)->enabled != SSL_ENABLED_TRUE) {
return DECLINED;
}
}
return OK;
}
-static int ssl_engine_set(conn_rec *c,
- ap_conf_vector_t *per_dir_config,
- int proxy, int enable)
+static int ssl_hook_ssl_bind_outgoing(conn_rec *c,
+ ap_conf_vector_t *per_dir_config,
+ int enable_ssl)
{
SSLConnRec *sslconn;
int status;
-
- if (proxy) {
- sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
- }
- else {
- sslconn = myConnConfig(c);
- }
+ sslconn = ssl_init_connection_ctx(c, per_dir_config, 1);
status = ssl_engine_status(c, sslconn);
-
- if (proxy && status == DECLINED) {
- if (enable) {
+ if (enable_ssl) {
+ if (status != OK) {
SSLSrvConfigRec *sc = mySrvConfig(sslconn->server);
- ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01961)
- "SSL Proxy requested for %s but not enabled "
- "[Hint: SSLProxyEngine]", sc->vhost_id);
+ sslconn->disabled = 1;
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(10272)
+ "SSL Proxy requested for %s but not enabled for us.",
+ sc->vhost_id);
+ }
+ else {
+ sslconn->disabled = 0;
+ return OK;
}
- sslconn->disabled = 1;
}
- else if (sslconn) {
- sslconn->disabled = !enable;
+ else {
+ sslconn->disabled = 1;
}
-
- return status != DECLINED;
-}
-
-static int ssl_proxy_enable(conn_rec *c)
-{
- return ssl_engine_set(c, NULL, 1, 1);
-}
-
-static int ssl_engine_disable(conn_rec *c)
-{
- return ssl_engine_set(c, NULL, 0, 0);
+ return DECLINED;
}
int ssl_init_ssl_connection(conn_rec *c, request_rec *r)
@@ -601,9 +589,9 @@ int ssl_init_ssl_connection(conn_rec *c,
* Seed the Pseudo Random Number Generator (PRNG)
*/
ssl_rand_seed(server, c->pool, SSL_RSCTX_CONNECT,
- sslconn->is_proxy ? "Proxy: " : "Server: ");
+ c->outgoing ? "Proxy: " : "Server: ");
- mctx = myCtxConfig(sslconn, sc);
+ mctx = myConnCtxConfig(c, sc);
/*
* Create a new SSL connection with the configured server SSL context and
@@ -621,7 +609,7 @@ int ssl_init_ssl_connection(conn_rec *c,
return DECLINED; /* XXX */
}
- rc = ssl_run_pre_handshake(c, ssl, sslconn->is_proxy ? 1 : 0);
+ rc = ssl_run_pre_handshake(c, ssl, c->outgoing ? 1 : 0);
if (rc != OK && rc != DECLINED) {
return rc;
}
@@ -753,10 +741,7 @@ static void ssl_register_hooks(apr_pool_
APR_HOOK_MIDDLE);
ssl_var_register(p);
-
- APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
- APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
- APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
+ ap_hook_ssl_bind_outgoing (ssl_hook_ssl_bind_outgoing, NULL, NULL, APR_HOOK_MIDDLE);
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl",
AUTHZ_PROVIDER_VERSION,
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_io.c Thu Sep 9 15:22:23 2021
@@ -1171,7 +1171,7 @@ static apr_status_t ssl_io_filter_handsh
}
server = sslconn->server;
- if (sslconn->is_proxy) {
+ if (c->outgoing) {
#ifdef HAVE_TLSEXT
apr_ipsubnet_t *ip;
#ifdef HAVE_TLS_ALPN
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c Thu Sep 9 15:22:23 2021
@@ -1747,7 +1747,7 @@ int ssl_callback_SSLVerify(int ok, X509_
SSLSrvConfigRec *sc = mySrvConfig(s);
SSLConnRec *sslconn = myConnConfig(conn);
SSLDirConfigRec *dc = r ? myDirConfig(r) : sslconn->dc;
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ modssl_ctx_t *mctx = myConnCtxConfig(conn, sc);
int crl_check_mode = mctx->crl_check_mask & ~SSL_CRLCHECK_FLAGS;
/* Get verify ingredients */
@@ -1771,7 +1771,7 @@ int ssl_callback_SSLVerify(int ok, X509_
* Check for optionally acceptable non-verifiable issuer situation
*/
if (dc) {
- if (sslconn->is_proxy) {
+ if (conn->outgoing) {
verify = dc->proxy->auth.verify_mode;
}
else {
@@ -1883,7 +1883,7 @@ int ssl_callback_SSLVerify(int ok, X509_
* Finally check the depth of the certificate verification
*/
if (dc) {
- if (sslconn->is_proxy) {
+ if (conn->outgoing) {
depth = dc->proxy->auth.verify_depth;
}
else {
@@ -2292,7 +2292,7 @@ void ssl_callback_Info(const SSL *ssl, i
/* If the reneg state is to reject renegotiations, check the SSL
* state machine and move to ABORT if a Client Hello is being
* read. */
- if (!sslconn->is_proxy &&
+ if (!c->outgoing &&
(where & SSL_CB_HANDSHAKE_START) &&
sslconn->reneg_state == RENEG_REJECT) {
sslconn->reneg_state = RENEG_ABORT;
@@ -2534,7 +2534,7 @@ static int ssl_find_vhost(void *serverna
* Don't switch the protocol if none is configured for this vhost,
* the default in this case is still the base server's SSLProtocol.
*/
- if (myCtxConfig(sslcon, sc)->protocol_set) {
+ if (myConnCtxConfig(c, sc)->protocol_set) {
SSL_set_min_proto_version(ssl, SSL_CTX_get_min_proto_version(ctx));
SSL_set_max_proto_version(ssl, SSL_CTX_get_max_proto_version(ctx));
}
@@ -2620,8 +2620,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(c);
SSLSrvConfigRec *sc = mySrvConfig(s);
- SSLConnRec *sslconn = myConnConfig(c);
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ modssl_ctx_t *mctx = myConnCtxConfig(c, sc);
modssl_ticket_key_t *ticket_key = mctx->ticket_key;
if (mode == 1) {
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_vars.c Thu Sep 9 15:22:23 2021
@@ -65,10 +65,10 @@ static SSLConnRec *ssl_get_effective_con
return sslconn;
}
-static int ssl_is_https(conn_rec *c)
+static int ssl_conn_is_ssl(conn_rec *c)
{
- SSLConnRec *sslconn = ssl_get_effective_config(c);
- return sslconn && sslconn->ssl;
+ const SSLConnRec *sslconn = ssl_get_effective_config(c);
+ return (sslconn && sslconn->ssl)? OK : DECLINED;
}
static const char var_interface[] = "mod_ssl/" AP_SERVER_BASEREVISION;
@@ -137,7 +137,7 @@ void ssl_var_register(apr_pool_t *p)
{
char *cp, *cp2;
- APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+ ap_hook_ssl_conn_is_ssl(ssl_conn_is_ssl, NULL, NULL, APR_HOOK_MIDDLE);
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
APR_REGISTER_OPTIONAL_FN(ssl_ext_list);
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_private.h Thu Sep 9 15:22:23 2021
@@ -311,8 +311,8 @@ APLOG_USE_MODULE(ssl);
((SSLSrvConfigRec *)ap_get_module_config(srv->module_config, &ssl_module))
#define myDirConfig(req) \
((SSLDirConfigRec *)ap_get_module_config(req->per_dir_config, &ssl_module))
-#define myCtxConfig(sslconn, sc) \
- (sslconn->is_proxy ? sslconn->dc->proxy : sc->server)
+#define myConnCtxConfig(c, sc) \
+ (c->outgoing ? myConnConfig(c)->dc->proxy : sc->server)
#define myModConfig(srv) mySrvConfig((srv))->mc
#define mySrvFromConn(c) myConnConfig(c)->server
#define myDirConfigFromConn(c) myConnConfig(c)->dc
@@ -533,7 +533,6 @@ typedef struct {
const char *verify_info;
const char *verify_error;
int verify_depth;
- int is_proxy;
int disabled;
enum {
NON_SSL_OK = 0, /* is SSL request, or error handling completed */
Modified: httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ssl/ssl_util_stapling.c Thu Sep 9 15:22:23 2021
@@ -810,8 +810,7 @@ static int stapling_cb(SSL *ssl, void *a
conn_rec *conn = (conn_rec *)SSL_get_app_data(ssl);
server_rec *s = mySrvFromConn(conn);
SSLSrvConfigRec *sc = mySrvConfig(s);
- SSLConnRec *sslconn = myConnConfig(conn);
- modssl_ctx_t *mctx = myCtxConfig(sslconn, sc);
+ modssl_ctx_t *mctx = myConnCtxConfig(conn, sc);
UCHAR idx[SHA_DIGEST_LENGTH];
ocsp_resp resp;
certinfo *cinf = NULL;
Modified: httpd/httpd/branches/2.4.x/server/ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/ssl.c?rev=1893182&r1=1893181&r2=1893182&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/server/ssl.c (original)
+++ httpd/httpd/branches/2.4.x/server/ssl.c Thu Sep 9 15:22:23 2021
@@ -36,6 +36,7 @@
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
+#include "http_connection.h"
#include "http_protocol.h"
#include "http_request.h"
#include "http_main.h"
@@ -64,10 +65,20 @@ APR_HOOK_STRUCT(
APR_HOOK_LINK(ssl_answer_challenge)
APR_HOOK_LINK(ssl_ocsp_prime_hook)
APR_HOOK_LINK(ssl_ocsp_get_resp_hook)
+ APR_HOOK_LINK(ssl_bind_outgoing)
)
APR_DECLARE_OPTIONAL_FN(int, ssl_is_https, (conn_rec *));
static APR_OPTIONAL_FN_TYPE(ssl_is_https) *module_ssl_is_https;
+APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
+static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *module_ssl_proxy_enable;
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *module_ssl_engine_disable;
+APR_DECLARE_OPTIONAL_FN(int, ssl_engine_set, (conn_rec *,
+ ap_conf_vector_t *,
+ int proxy, int enable));
+static APR_OPTIONAL_FN_TYPE(ssl_engine_set) *module_ssl_engine_set;
+
static int ssl_is_https(conn_rec *c)
{
@@ -85,6 +96,78 @@ AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_
return r;
}
+static int ssl_engine_set(conn_rec *c,
+ ap_conf_vector_t *per_dir_config,
+ int proxy, int enable)
+{
+ if (proxy) {
+ return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK;
+ }
+ else if (module_ssl_engine_set) {
+ return module_ssl_engine_set(c, per_dir_config, 0, enable);
+ }
+ else if (enable && module_ssl_proxy_enable) {
+ return module_ssl_proxy_enable(c);
+ }
+ else if (!enable && module_ssl_engine_disable) {
+ return module_ssl_engine_disable(c);
+ }
+ return 0;
+}
+
+static int ssl_proxy_enable(conn_rec *c)
+{
+ return ap_ssl_bind_outgoing(c, NULL, 1);
+}
+
+static int ssl_engine_disable(conn_rec *c)
+{
+ return ap_ssl_bind_outgoing(c, NULL, 0);
+}
+
+AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf,
+ int enable_ssl)
+{
+ int rv, enabled = 0;
+
+ c->outgoing = 1;
+ rv = ap_run_ssl_bind_outgoing(c, dir_conf, enable_ssl);
+ enabled = (rv == OK);
+ if (enable_ssl && !enabled) {
+ /* the hooks did not take over. Is there an old skool optional that will? */
+ if (module_ssl_engine_set) {
+ enabled = module_ssl_engine_set(c, dir_conf, 1, 1);
+ }
+ else if (module_ssl_proxy_enable) {
+ enabled = module_ssl_proxy_enable(c);
+ }
+ }
+ else {
+ /* !enable_ssl || enabled
+ * any existing optional funcs need to not enable here */
+ if (module_ssl_engine_set) {
+ module_ssl_engine_set(c, dir_conf, 1, 0);
+ }
+ else if (module_ssl_engine_disable) {
+ module_ssl_engine_disable(c);
+ }
+ }
+ if (enable_ssl && !enabled) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0,
+ c, APLOGNO(01961) " failed to enable ssl support "
+ "[Hint: if using mod_ssl, see SSLProxyEngine]");
+ return DECLINED;
+ }
+ return OK;
+}
+
+AP_DECLARE(int) ap_ssl_has_outgoing_handlers(void)
+{
+ apr_array_header_t *hooks = ap_hook_get_ssl_bind_outgoing();
+ return (hooks && hooks->nelts > 0)
+ || module_ssl_engine_set || module_ssl_proxy_enable;
+}
+
APR_DECLARE_OPTIONAL_FN(const char *, ssl_var_lookup,
(apr_pool_t *p, server_rec *s,
conn_rec *c, request_rec *r,
@@ -128,6 +211,13 @@ AP_DECLARE(void) ap_setup_ssl_optional_f
module_ssl_var_lookup = (fn_ssl_var_lookup
&& fn_ssl_var_lookup != ssl_var_lookup)? fn_ssl_var_lookup : NULL;
APR_REGISTER_OPTIONAL_FN(ssl_var_lookup);
+
+ module_ssl_proxy_enable = APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
+ APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
+ module_ssl_engine_disable = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
+ module_ssl_engine_set = APR_RETRIEVE_OPTIONAL_FN(ssl_engine_set);
+ APR_REGISTER_OPTIONAL_FN(ssl_engine_set);
}
AP_DECLARE(apr_status_t) ap_ssl_add_cert_files(server_rec *s, apr_pool_t *p,
@@ -191,3 +281,5 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(int, ssl_ocs
(server_rec *s, conn_rec *c, const char *id, apr_size_t id_len,
ap_ssl_ocsp_copy_resp *cb, void *userdata),
(s, c, id, id_len, cb, userdata), DECLINED)
+AP_IMPLEMENT_HOOK_RUN_FIRST(int,ssl_bind_outgoing,(conn_rec *c, ap_conf_vector_t *dir_conf, int require_ssl),
+ (c, dir_conf, require_ssl), DECLINED)