www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

let proxy handler forward ALPN protocol strings for ssl proxy connections

Browse Source 
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1729208 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Stefan Eissing
2016-02-08 16:50:07 +00:00
parent 49e969e57b
commit a5511fe280
2 changed files with 39 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/proxy/proxy_util.c
View File

@@ -2717,6 +2717,8 @@ PROXY_DECLARE(int) ap_proxy_connect_backend(const char *proxy_function,
if (conn->sock) { if (conn->sock) {
if (!(connected = ap_proxy_is_socket_connected(conn->sock))) { if (!(connected = ap_proxy_is_socket_connected(conn->sock))) {
/* FIXME: this loses conn->ssl_hostname and it will not be
* restablished before the SSL connection is made -> no SNI! */
socket_cleanup(conn); socket_cleanup(conn);
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00951) ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00951)
"%s: backend socket is disconnected.", "%s: backend socket is disconnected.",

38
modules/ssl/ssl_engine_io.c
View File

@@ -1146,12 +1146,48 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
#endif #endif
const char *hostname_note = apr_table_get(c->notes, const char *hostname_note = apr_table_get(c->notes,
"proxy-request-hostname"); "proxy-request-hostname");
const char *alpn_note;
BOOL proxy_ssl_check_peer_ok = TRUE; BOOL proxy_ssl_check_peer_ok = TRUE;
int post_handshake_rc = OK; int post_handshake_rc = OK;
sc = mySrvConfig(server); sc = mySrvConfig(server);
#ifdef HAVE_TLSEXT #ifdef HAVE_TLSEXT
#ifdef HAVE_TLS_ALPN
alpn_note = apr_table_get(c->notes, "proxy-request-alpn-protos");
if (alpn_note) {
char *protos, *s, *p, *last;
apr_size_t len;
s = protos = apr_pcalloc(c->pool, strlen(alpn_note)+1);
p = apr_pstrdup(c->pool, alpn_note);
while ((p = apr_strtok(p, ", ", &last))) {
len = last - p - (*last? 1 : 0);
if (len > 255) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO()
"ALPN proxy protocol identifier too long: %s",
p);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, server);
return APR_EGENERAL;
}
*s++ = (unsigned char)len;
while (len--) {
*s++ = *p++;
}
p = last;
}
ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
"setting alpn protos from '%s', protolen=%d",
alpn_note, (int)(s - protos));
if (protos != s && SSL_set_alpn_protos(filter_ctx->pssl,
(unsigned char *)protos,
s - protos)) {
ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO()
"error setting alpn protos from '%s'", alpn_note);
ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
}
}
#endif /* defined HAVE_TLS_ALPN */
/* /*
* Enable SNI for backend requests. Make sure we don't do it for * Enable SNI for backend requests. Make sure we don't do it for
* pure SSLv3 connections, and also prevent IP addresses * pure SSLv3 connections, and also prevent IP addresses
@@ -1176,7 +1212,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server); ssl_log_ssl_error(SSLLOG_MARK, APLOG_WARNING, server);
} }
} }
#endif #endif /* defined HAVE_TLSEXT */
if ((n = SSL_connect(filter_ctx->pssl)) <= 0) { if ((n = SSL_connect(filter_ctx->pssl)) <= 0) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02003) ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02003)