www/apache
1
0
Fork 0
mirror of https://github.com/apache/httpd.git synced 2025-08-08 15:02:10 +03:00
Code Activity

* mod_ssl: Fix renegotiation failures redirected to an ErrorDocument. PR 57334.

Browse Source 
When this occurs, the redirect (internal) request reaches ssl_hook_Access()
and make SSL_do_handshake crash probably because we force the renegotiation
based on an incomplete SSL state.

To avoid this, ssl_hook_Access() now returns FORBIDDEN immediatly if the given
SSL connection is not in a valid (handshaken) state.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1644498 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Yann Ylavic
2014-12-10 18:06:55 +00:00
parent 7ffd981a56
commit d35b8319c0
2 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,6 +1,9 @@
-*- coding: utf-8 -*- -*- coding: utf-8 -*-
Changes with Apache 2.5.0 Changes with Apache 2.5.0
*) mod_ssl: Fix renegotiation failures redirected to an ErrorDocument.
PR 57334. [Yann Ylavic].
*) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts. *) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic]. PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].

17
modules/ssl/ssl_engine_kernel.c
View File

@@ -81,7 +81,8 @@ static apr_status_t upgrade_connection(request_rec *r)
if (SSL_get_state(ssl) != SSL_ST_OK) { if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
"TLS upgrade handshake failed: not accepted by client!?"); "TLS upgrade handshake failed");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
return APR_ECONNABORTED; return APR_ECONNABORTED;
} }
@@ -315,6 +316,16 @@ int ssl_hook_Access(request_rec *r)
int depth, verify_old, verify, n; int depth, verify_old, verify, n;
if (ssl) { if (ssl) {
/*
* We should have handshaken here (on handshakeserver),
* otherwise we are being redirected (ErrorDocument) from
* a renegotiation failure below. The access is still
* forbidden in the latter case, let ap_die() handle
* this recursive (same) error.
*/
if (SSL_get_state(ssl) != SSL_ST_OK) {
return HTTP_FORBIDDEN;
}
ctx = SSL_get_SSL_CTX(ssl); ctx = SSL_get_SSL_CTX(ssl);
} }
@@ -829,8 +840,8 @@ int ssl_hook_Access(request_rec *r)
if (SSL_get_state(ssl) != SSL_ST_OK) { if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
"Re-negotiation handshake failed: " "Re-negotiation handshake failed");
"Not accepted by client!?"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
r->connection->keepalive = AP_CONN_CLOSE; r->connection->keepalive = AP_CONN_CLOSE;
return HTTP_FORBIDDEN; return HTTP_FORBIDDEN;