Make the SSL filters chain return an error when the handshake fails with an
origin server. It can then be caught by mod_proxy to fail with 502.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1839442 13f79535-47bb-0310-9956-ffa450edef68
The core output filter used to determine first if it needed to block before
trying to send its data (including set aside ones), and if so it did call
send_brigade_blocking().
This can be avoided by making send_brigade_nonblocking() send as much data as
possible (nonblocking), and only if data remain check whether they should be
flushed (blocking), according to the same ap_filter_reinstate_brigade()
heuristics but afterward.
This allows both to simplify the code (axe send_brigade_blocking and some
duplicated logic) and optimize sends since send_brigade_nonblocking() is now
given all the buckets so it can make use of scatter/gather (iovec) or NOPUSH
option with the whole picture.
When sendfile is available and/or with fine tuning of FlushMaxThreshold (and
ReadBufferSize) from r1836032, one can now take advantage of modern network
speeds and bandwidth.
This commit also adds some APLOG_TRACE6 messages for outputed bytes (including
at mod_ssl level since splitting happens there when it's active).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1836237 13f79535-47bb-0310-9956-ffa450edef68
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1803396 13f79535-47bb-0310-9956-ffa450edef68
If other modules or libraries do not clear the OpenSSL error queue after
a failed operation, other code that relies on SSL_get_error() -- in
particular, code that deals with SSL_ERROR_WANT_READ/WRITE logic -- will
malfunction later on. To prevent this, explicitly clear the error queue
before calls like SSL_read/write/accept().
PR: 60223
Submitted by: Paul Spangler <paul.spangler ni.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1769332 13f79535-47bb-0310-9956-ffa450edef68
such that disabling either disables both, and that enabling either will
trigger the more comprehensive SSLProxyCheckPeerName behavior.
Only a single configuration remains to enable the legacy behavior, which
is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.
Changes to the proxy config directives leads us to a different 2.4 fix...
https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1746647 13f79535-47bb-0310-9956-ffa450edef68
Coalesce when (subsequent brigade's) data bucket is not last (likely followed
by FLUSH or EOS) but we have buffered data already.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1723143 13f79535-47bb-0310-9956-ffa450edef68
Fix "HTTP spoken on HTTPS port" broken by the SSL handshake trigger moved to
process_connection hook (r1709602) along with H2Direct speculative read.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1715023 13f79535-47bb-0310-9956-ffa450edef68
Flush SSL/TLS handshake data when writing (instead of before reading),
and only when necessary (openssl < 0.9.8m or proxy/client side).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1707230 13f79535-47bb-0310-9956-ffa450edef68
This defeats deferred write (and pipelining), eg. check_pipeline() is not
expecting the pipe to be flushed under it.
So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions
are known to not handle all the cases, so we keep flushing with those).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1705823 13f79535-47bb-0310-9956-ffa450edef68
Such readers are prepared to receive empty data anyway (and take appropriate
action), while e.g. check_pipeline() is not expecting the pipe to be flushed
under it.
Reverted by: r1705820
Replaced by: r1705823
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1705236 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: drop
modssl_register_npn optional function and related declarations.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
no longer set NPN advertisement callback.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): remove
NPN handling.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
remove callback.
* modules/ssl/ssl_private.h: remove NPN prototypes, set
HAVE_TLS_ALPN (OpenSSL 1.0.2 and later) with feature-based detection.
Rename SSLAlpnPreference to SSLALPNPreference, and add documentation.
Previous commits related to NPN and ALPN, for reference purposes:
r1332643 - Add support for TLS Next Protocol Negotiation
r1487772 - mod_ssl: Redesign NPN (Next Protocol Negotiation) API
to avoid use of hooks API and inter-module hard linkage
r1670397 - ALPN support, based on mod_spdy/mod_h2 patch set
r1670434 - More ALPN goodness
(plus some minor tweaks: r1670578, r1670440, r1670578,
r1670738, r1675459, and r1675549)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1676004 13f79535-47bb-0310-9956-ffa450edef68
More uses of ap_map_http_request_error() and AP_FILTER_ERROR so that we never
return an HTTP error status from a handler if some filter generated a response
already.
That is, from a handler, either ap_get_brigade() (an input filter) returned
AP_FILTER_ERROR and we must forward it to ap_die(), or ap_pass_brigade() (an
output filter) failed with any status and we must return AP_FILTER_ERROR in
any case for ap_die() to determine whether a response is needed or not.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1665625 13f79535-47bb-0310-9956-ffa450edef68
return an error code understood by ssl_io_filter_error().
That function needs to perform error handling, and a valid
apr_status_t needs to be returned up.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1645529 13f79535-47bb-0310-9956-ffa450edef68
SSLSessionCache are used and SSL session is resumed. SSL_CLIENT_VERIFY value
has been set to SUCCESS on resumption even when originally it was set to
GENEROUS. PR 53193.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1633085 13f79535-47bb-0310-9956-ffa450edef68
