After some productive feedback and no negative feedback, introduce

SSLEngine upgrade so that we can begin and continue to support these facilities. This makes it simpler to keep this effort (while we have no known clients that support Connection: upgrade at this time), and begin refactoring more of SSL into smaller and tighter (and then optional) components. Submitted by: Ryan Bloom Reviewed by: William Rowe, Joe Orton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@97912 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2002-12-14 07:46:45 +00:00
parent 76c103be59
commit 2f62c790c7
6 changed files with 129 additions and 8 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -223,6 +223,16 @@ int ssl_hook_Access(request_rec *r)
     * Support for SSLRequireSSL directive
     */
    if (dc->bSSLRequired && !ssl) {
+        if (sc->enabled == UNSET) {
+            /* This vhost was configured for optional SSL, just tell the
+             * client that we need to upgrade.
+             */
+            apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
+            apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
+
+            return HTTP_UPGRADE_REQUIRED;
+        }
+
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, 
                      "access to %s failed, reason: %s",
                      r->filename, "SSL connection required");
@@ -1014,6 +1024,10 @@ int ssl_hook_Fixup(request_rec *r)
    SSL *ssl;
    int i;

+    if (sc->enabled == UNSET) {
+        apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
+    }
+
    /*
     * Check to see if SSL is on
     */