The issue is that ssl_log doesn't handle apr_status_t result codes. This
leads to a number of places (esp. with mutexes) where the error codes get
lost. Rather than extending ssl_log further, since mod_ssl is part of
our core, migrate to ap_log_error. This means that mod_ssl no longer
does its own logging.
Most uses of SSL_ADD_ERRNO are now mapped correctly to apr_status_t values
(mainly because the APIs that used to return errnos are now APRized and
have apr_status_t codes available).
SSL_LOG_TRACE and SSL_LOG_DEBUG were mapped to the APLOG_DEBUG values.
mod_ssl prints out a LOT of debugging information, so mod_ssl with LogLevel
Debug may not be a good idea - perhaps mod_ssl should be less chatty.
Numerous printf type collisions were also resolved.
(The ssl logging code itself will be removed in a subsequent commit.)
This has been discussed on dev@httpd, but the fact that there isn't
much to review besides the mindless changes, I'm going to commit now
and rely on CTR if I screwed up anything on the translation.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95127 13f79535-47bb-0310-9956-ffa450edef68
ssl_log_ssl_error() function that wraps ap_log_error instead.
This begins the migration from ssl_log() -> ap_log_error(). Divorcing
ourselves from the SSL_ADD_SSLERR option is required to make the next
pass easier.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@95122 13f79535-47bb-0310-9956-ffa450edef68
Obtained from:
Submitted by:
Reviewed by:
ssl_io_input_read now returns APR_EOF if ssl_io_hook_read returns 0
bytes for a reason other than SSL_ERROR_WANT_READ. this should
prevent a possible endless loop.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94519 13f79535-47bb-0310-9956-ffa450edef68
at this point, so the \r\n\r\n just confuses the http input filter.
One concern: this patch is only correct as long as we only ever call this
function while in AP_MODE_GETLINE. Ideally we would account for the mode
and return the newlines if not in GETLINE mode, but at the moment it doesn't
seem to matter.
Reviewed by: Doug MacEachern
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94453 13f79535-47bb-0310-9956-ffa450edef68
Obtained from:
Submitted by:
Reviewed by: Ryan Bloom
ap_remove_output_filter no longer works for connection filters.
change logic in the case of "HTTP spoken on HTTPS port" to disable the
ssl filters rather than attempt to remove the filters.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94393 13f79535-47bb-0310-9956-ffa450edef68
Add an allocator-passing mechanism throughout the bucket brigades API.
From Apache's standpoint, the apr_bucket_alloc_t* used throughout a given
connection is stored in the conn_rec by the create_connection hook. That
means it's the MPM's job to optimize recycling of apr_bucket_alloc_t's --
the MPM must ensure that no two threads can ever use the same one at the
same time, for instance.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94304 13f79535-47bb-0310-9956-ffa450edef68
need to call ssl_hook_process_connection in the output filter in proxy
mode, since proxy hits the output filter before the input filter
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94299 13f79535-47bb-0310-9956-ffa450edef68
Obtained from:
Submitted by:
Reviewed by:
fix bug seen on win32 with netscape client where output filter is run
triggered by lingering_close after ssl_hook_CloseConnection has been called
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94170 13f79535-47bb-0310-9956-ffa450edef68
Obtained from:
Submitted by:
Reviewed by:
fix bug in ssl_io_input_getline():
in most cases we get all the headers on the first SSL_read.
however, in certain cases SSL_read will only get a partial
chunk of the headers, so we now try to read until LF is seen.
bug seen with netscape client (running both on linux and win32) and
server running on win32.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93931 13f79535-47bb-0310-9956-ffa450edef68
If you need the length, you should be using apr_brigade_length. This is
much more consistent. Of all the places that call ap_get_brigade, only
one (ap_http_filter) needs the length. This makes it now possible to
pass constants down without assigning them to a temporary variable first.
Also:
- Change proxy_ftp to use EXHAUSTIVE mode (didn't catch its -1 before)
- Fix buglet in mod_ssl that would cause it to return too much data in
some circumstances
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@93014 13f79535-47bb-0310-9956-ffa450edef68
separate from the input filter mode type.
We also no longer look at readbytes to determine the method of
filter operation. This makes the use of filters more obvious and
allows a wider range of options for input filters modes.
To start with, the new input filter modes are:
AP_MODE_READBYTES (no more than *readbytes returned)
AP_MODE_GETLINE (old *readbytes == 0 case)
AP_MODE_EATCRLF (old AP_MODE_PEEK)
AP_MODE_SPECULATIVE (will be used in a future ap_getline rewrite)
AP_MODE_EXHAUSTIVE (old *readbytes == -1 case)
AP_MODE_INIT (special case for NNTP over SSL)
The block parameter is an apr_read_type_e: APR_BLOCK_READ, APR_NONBLOCK_READ
This also allows cleanup of mod_ssl's handling in the getline case.
Reviewed by: Ryan Bloom (concept), Greg Stein (concept)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92928 13f79535-47bb-0310-9956-ffa450edef68
- avoid creating a new bucket brigade for each EOS or FLUSH bucket
- do not pass FLUSH bucket since BIO_bucket_flush() already does so
if there is any data to flush.
- do not call apr_brigade_destroy(bb); since we will have either
emptied it or passed it, in which case it will be destroyed further
down the chain.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92885 13f79535-47bb-0310-9956-ffa450edef68
when SSL needs to flush (e.g. during SSL_accept()) it will call BIO_flush()
which will trigger a call to bio_bucket_ctrl() -> BIO_bucket_flush().
so we only need to flush the output ourselves if we receive an EOS or
FLUSH bucket.
BIO_bucket_flush() and churn_output() had been turning up near the top
of the profile with gprof. churn_output() of course has now vanished
and BIO_bucket_flush() has dropped, being called far less than before.
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92271 13f79535-47bb-0310-9956-ffa450edef68
ssl_io_filter_Output() to a new ssl_filter_write() function.
this will make it easier to optimize how we deal with file buckets
than cannot be mmaped.
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92209 13f79535-47bb-0310-9956-ffa450edef68
an apr_bucket_brigade and use transient buckets with the SSL
malloc-ed buffer, rather than copying into a mem BIO.
also allows us to pass the brigade as data is being written
rather than buffering up the entire response in the mem BIO.
PR:
Obtained from:
Submitted by:
Reviewed by: Justin Erenkrantz, Ryan Bloom
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92206 13f79535-47bb-0310-9956-ffa450edef68
it does not actually do the reading and writing to the network. By
moving that filter to in between CONNECTION and NETWORK filters, we ensure
that SSL is always called before the core.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91969 13f79535-47bb-0310-9956-ffa450edef68
Place a big-ass comment there so that whomever comes next isn't stuck
at a cryptic call that they don't understand with a dinky comment.
Hopefully, this makes sense. Someone more familiar with OpenSSL should
verify the comment.
This fix also requires the normalize call to be performed before
churn_input so that we don't enter churn_input with a 0-length ctx->b
brigade.
All httpd-test tests (except for the module/negotiation test) pass now.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91442 13f79535-47bb-0310-9956-ffa450edef68
changed some of the style issues within the filtering code to conform to
the rest of the server.
Various incarnations of this patch have been posted to dev@httpd without
feedback. Now that it passes all of the httpd-test cases (with the
exception of module/negotiation test which fails without mod_ssl anyway),
it is time to check it in.
Please review and test. We are under C-T-R rules, so I'm going to take
advantage of that and commit it now. I have tested this about as much
as I can and it seems to work from everything I can give to it.
Considering that mod_ssl was broken before this commit, this is an
improvement.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@91414 13f79535-47bb-0310-9956-ffa450edef68
over an HTTPS connection. This also adds an ap_remove_input_filter
function, which should be used to remove the SSL input filter in this
case, as soon as this code is stressed a bit more.
For right now, we are sending the same message that we used to send in
mod_ssl for Apache 1.3.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90724 13f79535-47bb-0310-9956-ffa450edef68
are compatible (due to our early abort when PEEK mode is requested),
so we don't have to go to so much effort to convert from one to the other.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90530 13f79535-47bb-0310-9956-ffa450edef68
create a transient bucket pointing directly to the BIO mem buff.
this makes for a dramatic increase in performance. previously,
downloading large files (2Mb-5Mb-ish) made my laptop start to
smoke from the fan spinning so fast to cool the cpu.
also, apache stylize churn_output()
PR:
Obtained from:
Submitted by:
Reviewed by:
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@90497 13f79535-47bb-0310-9956-ffa450edef68
