* mod_ssl: Fix renegotiation failures redirected to an ErrorDocument. PR 57334.

When this occurs, the redirect (internal) request reaches ssl_hook_Access() and make SSL_do_handshake crash probably because we force the renegotiation based on an incomplete SSL state. To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given SSL connection is not in a valid (handshaken) state. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1644498 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2014-12-10 18:06:55 +00:00
parent 7ffd981a56
commit d35b8319c0
2 changed files with 17 additions and 3 deletions
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -81,7 +81,8 @@ static apr_status_t upgrade_connection(request_rec *r)

    if (SSL_get_state(ssl) != SSL_ST_OK) {
        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
-                      "TLS upgrade handshake failed: not accepted by client!?");
+                      "TLS upgrade handshake failed");
+        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

        return APR_ECONNABORTED;
    }
@@ -315,6 +316,16 @@ int ssl_hook_Access(request_rec *r)
    int depth, verify_old, verify, n;

    if (ssl) {
+        /*
+         * We should have handshaken here (on handshakeserver),
+         * otherwise we are being redirected (ErrorDocument) from
+         * a renegotiation failure below. The access is still 
+         * forbidden in the latter case, let ap_die() handle
+         * this recursive (same) error.
+         */
+        if (SSL_get_state(ssl) != SSL_ST_OK) {
+            return HTTP_FORBIDDEN;
+        }
        ctx = SSL_get_SSL_CTX(ssl);
    }

@@ -829,8 +840,8 @@ int ssl_hook_Access(request_rec *r)

            if (SSL_get_state(ssl) != SSL_ST_OK) {
                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
-                              "Re-negotiation handshake failed: "
-                              "Not accepted by client!?");
+                              "Re-negotiation handshake failed");
+                ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);

                r->connection->keepalive = AP_CONN_CLOSE;
                return HTTP_FORBIDDEN;