You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "Mathihalli, Madhusudan" <ma...@hp.com> on 2004/02/23 22:22:05 UTC

[PATCH] SSL not sending close alert message

Hi,
	I started working on Justin's idea of creating a EOC bucket - to do a SSL shutdown before the socket close(). But since the ap_flush_conn is called just before closing the socket - I thought of doing the SSL shutdown during the flush itself. Let me know what you think of this patch.

-Madhu

Index: ssl_engine_io.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.117
diff -u -r1.117 ssl_engine_io.c
--- ssl_engine_io.c     9 Feb 2004 20:29:22 -0000       1.117
+++ ssl_engine_io.c     23 Feb 2004 21:18:24 -0000
@@ -872,7 +872,8 @@
  */
 static apr_status_t ssl_filter_io_shutdown(ssl_filter_ctx_t *filter_ctx,
                                            conn_rec *c,
-                                           int abortive)
+                                           int abortive,
+                                           int shutdown_flag)
 {
     SSL *ssl = filter_ctx->pssl;
     const char *type = "";
@@ -951,6 +952,9 @@
     SSL_set_shutdown(ssl, shutdown_type);
     SSL_smart_shutdown(ssl);
 
+    if (shutdown_flag)
+        return APR_SUCCESS;
+
     /* and finally log the fact that we've closed the connection */
     if (c->base_server->loglevel >= APLOG_INFO) {
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
@@ -990,7 +994,7 @@
     }
 
     c = (conn_rec *)SSL_get_app_data(filter_ctx->pssl);
-    if ((ret = ssl_filter_io_shutdown(filter_ctx, c, 0)) != APR_SUCCESS) {
+    if ((ret = ssl_filter_io_shutdown(filter_ctx, c, 0, 1)) != APR_SUCCESS) {
         ap_log_error(APLOG_MARK, APLOG_INFO, ret, NULL,
                      "SSL filter error shutting down I/O");
     }
@@ -1025,7 +1029,7 @@
                          c->base_server,
                          "SSL Proxy connect failed");
             ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
-            return ssl_filter_io_shutdown(filter_ctx, c, 1);
+            return ssl_filter_io_shutdown(filter_ctx, c, 1, 1);
         }
 
         return APR_SUCCESS;
@@ -1089,7 +1093,7 @@
             inctx->rc = APR_EGENERAL;
         }
 
-        return ssl_filter_io_shutdown(filter_ctx, c, 1);
+        return ssl_filter_io_shutdown(filter_ctx, c, 1, 1);
     }
 
     /*
@@ -1130,7 +1134,7 @@
                          error ? error : "unknown");
             ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, c->base_server);
 
-            return ssl_filter_io_shutdown(filter_ctx, c, 1);
+            return ssl_filter_io_shutdown(filter_ctx, c, 1, 1);
         }
     }
 
@@ -1155,7 +1159,7 @@
         ap_log_error(APLOG_MARK, APLOG_INFO, 0, c->base_server,
                      "No acceptable peer certificate available");
 
-        return ssl_filter_io_shutdown(filter_ctx, c, 1);
+        return ssl_filter_io_shutdown(filter_ctx, c, 1, 1);
     }
 
     return APR_SUCCESS;
@@ -1392,6 +1396,7 @@
                 /* bio_filter_out_flush() already passed down a flush bucket
                  * if there was any data to be flushed.
                  */
+                ssl_filter_io_shutdown(filter_ctx, f->c, 0, 0);
                 apr_bucket_delete(bucket);
             }
         }

Re: [PATCH] SSL not sending close alert message

Posted by Cliff Woolley <jw...@virginia.edu>.

On Tue, 24 Feb 2004, William A. Rowe, Jr. wrote:

> I suspect that if the http protocol filter knew the difference between keep
> alive and connection close requests, it should eat non-terminal EOS marks
> (and pass flush instead?) while still passing a final EOS to the network
> stack layer?

That would break a lot of stuff........ :)

Re: [PATCH] SSL not sending close alert message

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 04:07 PM 2/23/2004, Joe Orton wrote:
>On Mon, Feb 23, 2004 at 01:22:05PM -0800, Mathihalli, Madhusudan wrote:
>> Hi,
>>       I started working on Justin's idea of creating a EOC bucket - to
>>       do a SSL shutdown before the socket close(). But since the
>>       ap_flush_conn is called just before closing the socket - I
>>       thought of doing the SSL shutdown during the flush itself. Let
>>       me know what you think of this patch.
>
>This is just back to what we had patches for already: doing an SSL
>shutdown on any EOF bucket, right?  Which is not right since you get an
>EOS after each HTTP response, not at the end of the connection.
>
>Hence the need for a new bucket type to represent end-of-connection 
>differently from EOS.

Do we?

I suspect that if the http protocol filter knew the difference between keep
alive and connection close requests, it should eat non-terminal EOS marks
(and pass flush instead?) while still passing a final EOS to the network 
stack layer?

Bill

Re: [PATCH] SSL not sending close alert message

Posted by Joe Orton <jo...@redhat.com>.

On Mon, Feb 23, 2004 at 01:22:05PM -0800, Mathihalli, Madhusudan wrote:
> Hi,
> 	I started working on Justin's idea of creating a EOC bucket - to
> 	do a SSL shutdown before the socket close(). But since the
> 	ap_flush_conn is called just before closing the socket - I
> 	thought of doing the SSL shutdown during the flush itself. Let
> 	me know what you think of this patch.

This is just back to what we had patches for already: doing an SSL
shutdown on any EOF bucket, right?  Which is not right since you get an
EOS after each HTTP response, not at the end of the connection.

Hence the need for a new bucket type to represent end-of-connection 
differently from EOS.

(the test case for that is to see if you can send two requests on a
single SSL connection)

joe