www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

remove antiquated 'SSLEngine optional' TLS upgrade

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927037 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Eric Covener
2025-07-07 11:55:00 +00:00
parent 349248060f
commit 63f48bb6f3
4 changed files with 7 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
modules/ssl/ssl_engine_config.c
View File

@@ -831,11 +831,13 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg)
return NULL; return NULL;
} }
else if (!strcasecmp(arg, "Optional")) { else if (!strcasecmp(arg, "Optional")) {
sc->enabled = SSL_ENABLED_OPTIONAL; sc->enabled = SSL_ENABLED_FALSE;
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server, APLOGNO(10510)
"'SSLEngine optional' is no longer supported");
return NULL; return NULL;
} }
return "Argument must be On, Off, or Optional"; return "Argument must be On or Off";
} }
const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
@@ -2442,9 +2444,6 @@ static void val_enabled_dump(apr_file_t *out, const char *key, ssl_enabled_t val
case SSL_ENABLED_TRUE: case SSL_ENABLED_TRUE:
val_str_dump(out, key, "on", p, indent, psep); val_str_dump(out, key, "on", p, indent, psep);
return; return;
case SSL_ENABLED_OPTIONAL:
val_str_dump(out, key, "optional", p, indent, psep);
return;
default: default:
return; return;
} }

6
modules/ssl/ssl_engine_init.c
View File

@@ -443,7 +443,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
&ssl_module); &ssl_module);
sc = mySrvConfig(s); sc = mySrvConfig(s);
if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) { if (sc->enabled == SSL_ENABLED_TRUE) {
if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) { if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) {
return rv; return rv;
} }
@@ -2165,9 +2165,9 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s,
&ssl_module); &ssl_module);
apr_status_t rv; apr_status_t rv;
/* Initialize the server if SSL is enabled or optional. /* Initialize the server if SSL is enabled.
*/ */
if ((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) { if (sc->enabled == SSL_ENABLED_TRUE) {
ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914) ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914)
"Configuring server %s for SSL protocol", sc->vhost_id); "Configuring server %s for SSL protocol", sc->vhost_id);
if ((rv = ssl_init_server_ctx(s, p, ptemp, sc, pphrases)) if ((rv = ssl_init_server_ctx(s, p, ptemp, sc, pphrases))

85
modules/ssl/ssl_engine_kernel.c
View File

@@ -38,58 +38,6 @@ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
#endif #endif
#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols"
#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1"
#define CONNECTION_HEADER "Connection: Upgrade"
/* Perform an upgrade-to-TLS for the given request, per RFC 2817. */
static apr_status_t upgrade_connection(request_rec *r)
{
struct conn_rec *conn = r->connection;
apr_bucket_brigade *bb;
SSLConnRec *sslconn;
apr_status_t rv;
SSL *ssl;
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02028)
"upgrading connection to TLS");
bb = apr_brigade_create(r->pool, conn->bucket_alloc);
rv = ap_fputs(conn->output_filters, bb, SWITCH_STATUS_LINE CRLF
UPGRADE_HEADER CRLF CONNECTION_HEADER CRLF CRLF);
if (rv == APR_SUCCESS) {
APR_BRIGADE_INSERT_TAIL(bb,
apr_bucket_flush_create(conn->bucket_alloc));
rv = ap_pass_brigade(conn->output_filters, bb);
}
if (rv) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02029)
"failed to send 101 interim response for connection "
"upgrade");
return rv;
}
ssl_init_ssl_connection(conn, r);
sslconn = myConnConfig(conn);
ssl = sslconn->ssl;
/* Perform initial SSL handshake. */
SSL_set_accept_state(ssl);
if ((SSL_do_handshake(ssl) != 1) || !SSL_is_init_finished(ssl)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
"TLS upgrade handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
return APR_ECONNABORTED;
}
return APR_SUCCESS;
}
/* Perform a speculative (and non-blocking) read from the connection /* Perform a speculative (and non-blocking) read from the connection
* filters for the given request, to determine whether there is any * filters for the given request, to determine whether there is any
* pending data to read. Return non-zero if there is, else zero. */ * pending data to read. Return non-zero if there is, else zero. */
@@ -269,23 +217,11 @@ int ssl_hook_ReadReq(request_rec *r)
{ {
SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLConnRec *sslconn; SSLConnRec *sslconn;
const char *upgrade;
#ifdef HAVE_TLSEXT #ifdef HAVE_TLSEXT
const char *servername; const char *servername;
#endif #endif
SSL *ssl; SSL *ssl;
/* Perform TLS upgrade here if "SSLEngine optional" is configured,
* SSL is not already set up for this connection, and the client
* has sent a suitable Upgrade header. */
if (sc->enabled == SSL_ENABLED_OPTIONAL && !myConnConfig(r->connection)
&& (upgrade = apr_table_get(r->headers_in, "Upgrade")) != NULL
&& ap_find_token(r->pool, upgrade, "TLS/1.0")) {
if (upgrade_connection(r)) {
return AP_FILTER_ERROR;
}
}
/* If we are on a slave connection, we do not expect to have an SSLConnRec, /* If we are on a slave connection, we do not expect to have an SSLConnRec,
* but our master connection might. */ * but our master connection might. */
sslconn = myConnConfig(r->connection); sslconn = myConnConfig(r->connection);
@@ -293,17 +229,6 @@ int ssl_hook_ReadReq(request_rec *r)
sslconn = myConnConfig(r->connection->master); sslconn = myConnConfig(r->connection->master);
} }
/* If "SSLEngine optional" is configured, this is not an SSL
* connection, and this isn't a subrequest, send an Upgrade
* response header. Note this must happen before map_to_storage
* and OPTIONS * request processing is completed.
*/
if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl)
&& !r->main) {
apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
apr_table_mergen(r->headers_out, "Connection", "upgrade");
}
if (!sslconn) { if (!sslconn) {
return DECLINED; return DECLINED;
} }
@@ -1250,16 +1175,6 @@ int ssl_hook_Access(request_rec *r)
* Support for SSLRequireSSL directive * Support for SSLRequireSSL directive
*/ */
if (dc->bSSLRequired && !ssl) { if (dc->bSSLRequired && !ssl) {
if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !r->connection->master) {
/* This vhost was configured for optional SSL, just tell the
* client that we need to upgrade.
*/
apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
return HTTP_UPGRADE_REQUIRED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219) ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
"access to %s failed, reason: %s", "access to %s failed, reason: %s",
r->filename, "SSL connection required"); r->filename, "SSL connection required");

1
modules/ssl/ssl_private.h
View File

@@ -518,7 +518,6 @@ typedef enum {
SSL_ENABLED_UNSET = UNSET, SSL_ENABLED_UNSET = UNSET,
SSL_ENABLED_FALSE = 0, SSL_ENABLED_FALSE = 0,
SSL_ENABLED_TRUE = 1, SSL_ENABLED_TRUE = 1,
SSL_ENABLED_OPTIONAL = 3
} ssl_enabled_t; } ssl_enabled_t;
/** /**