diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index 12a0986a53..1bf3fa949b 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -416,10 +416,9 @@ int ssl_hook_process_connection(SSLFilterRec *filter) /* * The case where OpenSSL has recognized a HTTP request: * This means the client speaks plain HTTP on our HTTPS port. - * Hmmmm... Punt this out of here after removing our output - * filter. + * ssl_io_filter_error will disable the ssl filters when it + * sees this status code. */ - ap_remove_output_filter(filter->pOutputFilter); return HTTP_BAD_REQUEST; } else if ((SSL_get_error(filter->pssl, n) == SSL_ERROR_SYSCALL) && diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 076d2770a3..da7a8a23a9 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -743,6 +743,13 @@ static apr_status_t ssl_io_input_getline(ssl_io_input_ctx_t *ctx, sizeof(HTTP_ON_HTTPS_PORT) - 1, \ alloc) +static void ssl_io_filter_disable(ap_filter_t *f) +{ + ssl_io_input_ctx_t *ctx = f->ctx; + ctx->inbio.ssl = NULL; + ctx->frec->pssl = NULL; +} + static apr_status_t ssl_io_filter_error(ap_filter_t *f, apr_bucket_brigade *bb, apr_status_t status) @@ -758,6 +765,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, /* fake the request line */ bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc); + ssl_io_filter_disable(f); break; default: @@ -781,6 +789,10 @@ static apr_status_t ssl_io_filter_Input(ap_filter_t *f, apr_size_t len = sizeof(ctx->buffer); int is_init = (mode == AP_MODE_INIT); + if (!ctx->inbio.ssl) { + return ap_get_brigade(f->next, bb, mode, block, readbytes); + } + /* XXX: we don't currently support anything other than these modes. */ if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE && mode != AP_MODE_SPECULATIVE && mode != AP_MODE_INIT) {