diff --git a/CHANGES b/CHANGES
index e094e177de..a1b35deb3d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
Changes with Apache 2.0.37
+ *) Remove all special mod_ssl URIs. This also fixes the bug where
+ redirecting (.*) will allow an SSL protected page to be viewed
+ without SSL. [Ryan Bloom]
+
*) Fix the binary build install script so that the build logic
created by "apxs -g" will work when the user has a binary
build. [Jeff Trawick]
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 9326cbc0cd..14e971ce79 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -583,7 +583,6 @@ static void ssl_register_hooks(apr_pool_t *p)
ap_hook_post_config (ssl_init_Module, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_http_method (ssl_hook_http_method, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_default_port (ssl_hook_default_port, NULL,NULL, APR_HOOK_MIDDLE);
- ap_hook_handler (ssl_hook_Handler, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_pre_config (ssl_hook_pre_config, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_child_init (ssl_init_Child, NULL,NULL, APR_HOOK_MIDDLE);
ap_hook_translate_name(ssl_hook_Translate, NULL,NULL, APR_HOOK_MIDDLE);
diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h
index 5999e97ad9..5f8009d694 100644
--- a/modules/ssl/mod_ssl.h
+++ b/modules/ssl/mod_ssl.h
@@ -414,6 +414,7 @@ typedef struct {
int verify_depth;
int is_proxy;
int disabled;
+ int non_ssl_request;
} SSLConnRec;
typedef struct {
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 290e54409f..47e76329c4 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -741,8 +741,17 @@ static apr_status_t ssl_io_input_getline(ssl_io_input_ctx_t *ctx,
return APR_SUCCESS;
}
+/* Just use a simple request. Any request will work for this, because
+ * we use a flag in the conn_rec->conn_vector now. The fake request just
+ * gets the request back to the Apache core so that a response can be sent.
+ *
+ * We should probably use a 0.9 request, but the BIO bucket code is calling
+ * socket_bucket_read one extra time with all 0.9 requests from the client.
+ * Until that is resolved, continue to use a 1.0 request, just like we
+ * always have.
+ */
#define HTTP_ON_HTTPS_PORT \
- "GET /mod_ssl:error:HTTP-request HTTP/1.0"
+ "GET / HTTP/1.0"
#define HTTP_ON_HTTPS_PORT_BUCKET(alloc) \
apr_bucket_immortal_create(HTTP_ON_HTTPS_PORT, \
@@ -760,6 +769,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
apr_bucket_brigade *bb,
apr_status_t status)
{
+ SSLConnRec *sslconn = myConnConfig(f->c);
apr_bucket *bucket;
switch (status) {
@@ -771,9 +781,11 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
"trying to send HTML error page");
ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, f->c->base_server);
+ sslconn->non_ssl_request = 1;
+ ssl_io_filter_disable(f);
+
/* fake the request line */
bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
- ssl_io_filter_disable(f);
break;
default:
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index bfa3d10968..1e50644ae8 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -174,6 +174,34 @@ int ssl_hook_ReadReq(request_rec *r)
return DECLINED;
}
+ if (sslconn->non_ssl_request) {
+ const char *errmsg;
+ char *thisurl;
+ char *thisport = "";
+ int port = ap_get_server_port(r);
+
+ if (!ap_is_default_port(port, r)) {
+ thisport = apr_psprintf(r->pool, ":%u", port);
+ }
+
+ thisurl = ap_escape_html(r->pool,
+ apr_psprintf(r->pool, "https://%s%s/",
+ ap_get_server_name(r),
+ thisport));
+
+ errmsg = apr_psprintf(r->pool,
+ "Reason: You're speaking plain HTTP "
+ "to an SSL-enabled server port.
\n"
+ "Instead use the HTTPS scheme to access "
+ "this URL, please.
\n"
+ "Hint: "
+ "%s
",
+ thisurl, thisurl);
+
+ apr_table_setn(r->notes, "error-notes", errmsg);
+ return HTTP_BAD_REQUEST;
+ }
+
/*
* Get the SSL connection structure and perform the
* delayed interlinking from SSL back to request_rec
@@ -182,13 +210,6 @@ int ssl_hook_ReadReq(request_rec *r)
SSL_set_app_data2(ssl, r);
}
- /*
- * Force the mod_ssl content handler when URL indicates this
- */
- if (strEQn(r->uri, "/mod_ssl:", 9)) {
- r->handler = "mod_ssl:content-handler";
- }
-
return DECLINED;
}
@@ -264,49 +285,6 @@ int ssl_hook_Translate(request_rec *r)
return DECLINED;
}
-/*
- * Content Handler
- */
-int ssl_hook_Handler(request_rec *r)
-{
- if (strNE(r->handler, "mod_ssl:content-handler")) {
- return DECLINED;
- }
-
- if (strNEn(r->uri, "/mod_ssl:", 9)) {
- return DECLINED;
- }
-
- if (strEQ(r->uri, "/mod_ssl:error:HTTP-request")) {
- const char *errmsg;
- char *thisurl;
- char *thisport = "";
- int port = ap_get_server_port(r);
-
- if (!ap_is_default_port(port, r)) {
- thisport = apr_psprintf(r->pool, ":%u", port);
- }
-
- thisurl = ap_escape_html(r->pool,
- apr_psprintf(r->pool, "https://%s%s/",
- ap_get_server_name(r),
- thisport));
-
- errmsg = apr_psprintf(r->pool,
- "Reason: You're speaking plain HTTP "
- "to an SSL-enabled server port.
\n"
- "Instead use the HTTPS scheme to access "
- "this URL, please.
\n"
- "Hint: "
- "%s
",
- thisurl, thisurl);
-
- apr_table_setn(r->notes, "error-notes", errmsg);
- }
-
- return HTTP_BAD_REQUEST;
-}
-
/*
* Access Handler
*/