*) mod_ssl: Fixes PR 62654 where "require ssl" did not work on HTTP/2 (13a0cba7) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+4 −0

Original line number	Diff line number	Diff line
		@@ -9,6 +9,10 @@ Changes with Apache 2.4.38
		'ssl_io_filter_handshake()'. This messes-up error handling performed
		in 'ssl_io_filter_error()' [Yann Ylavic]

		*) mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
		authz provider so "Require ssl" works correctly in HTTP/2.
		PR 61519, 62654. [Joe Orton, Stefan Eissing]

		*) mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
		redirects, subsequent ProxyPassReverse statements, whether they are
		relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>]

STATUS

+0 −11

Original line number	Diff line number	Diff line
		@@ -126,17 +126,6 @@ RELEASE SHOWSTOPPERS:
		PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
		[ start all new proposals below, under PATCHES PROPOSED. ]

		*) mod_ssl: Fixes PR 62654 where "require ssl" did not work on HTTP/2
		connections, and PR 61519 where $HTTPS was incorrect for the
		"SSLEngine optional" case.
		trunk patch: http://svn.apache.org/r1829250
		http://svn.apache.org/r1829263
		http://svn.apache.org/r1846111
		2.4.x patch:
		http://people.apache.org/~jorton/modssl_is_tls.diff
		svn merge --record-only -c 1829250,1829263,1846111 ^/httpd/httpd/trunk .
		+1: jorton, jim, minfrin


		PATCHES PROPOSED TO BACKPORT FROM TRUNK:
		[ New proposals should be added at the end of the list ]

modules/ssl/mod_ssl.c

+2 −14

Original line number	Diff line number	Diff line
		@@ -618,24 +618,12 @@ int ssl_init_ssl_connection(conn_rec c, request_rec r)

		static const char ssl_hook_http_scheme(const request_rec r)
		{
		SSLSrvConfigRec *sc = mySrvConfig(r->server);

		if (sc->enabled == SSL_ENABLED_FALSE \|\| sc->enabled == SSL_ENABLED_OPTIONAL) {
		return NULL;
		}

		return "https";
		return modssl_request_is_tls(r, NULL) ? "https" : NULL;
		}

		static apr_port_t ssl_hook_default_port(const request_rec *r)
		{
		SSLSrvConfigRec *sc = mySrvConfig(r->server);

		if (sc->enabled == SSL_ENABLED_FALSE \|\| sc->enabled == SSL_ENABLED_OPTIONAL) {
		return 0;
		}

		return 443;
		return modssl_request_is_tls(r, NULL) ? 443 : 0;
		}

		static int ssl_hook_pre_connection(conn_rec c, void csd)

modules/ssl/ssl_engine_kernel.c

+11 −22

Original line number	Diff line number	Diff line
		@@ -1342,8 +1342,7 @@ int ssl_hook_Access(request_rec *r)
		*/
		int ssl_hook_UserCheck(request_rec *r)
		{
		SSLConnRec *sslconn = myConnConfig(r->connection);
		SSLSrvConfigRec *sc = mySrvConfig(r->server);
		SSLConnRec *sslconn;
		SSLDirConfigRec *dc = myDirConfig(r);
		char *clientdn;
		const char auth_line, username, *password;
		@@ -1392,15 +1391,15 @@ int ssl_hook_UserCheck(request_rec *r)

		/*
		* We decline operation in various situations...
		* - TLS not enabled
		* - client did not present a certificate
		* - SSLOptions +FakeBasicAuth not configured
		* - r->user already authenticated
		* - ssl not enabled
		* - client did not present a certificate
		*/
		if (!((sc->enabled == SSL_ENABLED_TRUE \|\| sc->enabled == SSL_ENABLED_OPTIONAL)
		&& sslconn && sslconn->ssl && sslconn->client_cert) \|\|
		!(dc->nOptions & SSL_OPT_FAKEBASICAUTH) \|\| r->user)
		{
		if (!modssl_request_is_tls(r, &sslconn)
		\|\| !sslconn->client_cert
		\|\| !(dc->nOptions & SSL_OPT_FAKEBASICAUTH)
		\|\| r->user) {
		return DECLINED;
		}

		@@ -1500,8 +1499,6 @@ static const char *const ssl_hook_Fixup_vars[] = {

		int ssl_hook_Fixup(request_rec *r)
		{
		SSLConnRec *sslconn = myConnConfig(r->connection);
		SSLSrvConfigRec *sc = mySrvConfig(r->server);
		SSLDirConfigRec *dc = myDirConfig(r);
		apr_table_t *env = r->subprocess_env;
		char var, val = "";
		@@ -1509,19 +1506,14 @@ int ssl_hook_Fixup(request_rec *r)
		const char *servername;
		#endif
		STACK_OF(X509) *peer_certs;
		SSLConnRec *sslconn;
		SSL *ssl;
		int i;

		if (!(sslconn && sslconn->ssl) && r->connection->master) {
		sslconn = myConnConfig(r->connection->master);
		}

		/*
		* Check to see if SSL is on
		*/
		if (!(((sc->enabled == SSL_ENABLED_TRUE) \|\| (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) {
		if (!modssl_request_is_tls(r, &sslconn)) {
		return DECLINED;
		}
		ssl = sslconn->ssl;

		/*
		* Annotate the SSI/CGI environment with standard SSL information
		@@ -1595,10 +1587,7 @@ static authz_status ssl_authz_require_ssl_check(request_rec *r,
		const char *require_line,
		const void *parsed)
		{
		SSLConnRec *sslconn = myConnConfig(r->connection);
		SSL *ssl = sslconn ? sslconn->ssl : NULL;

		if (ssl)
		if (modssl_request_is_tls(r, NULL))
		return AUTHZ_GRANTED;
		else
		return AUTHZ_DENIED;

modules/ssl/ssl_private.h

+5 −0

Original line number	Diff line number	Diff line
		@@ -1101,6 +1101,11 @@ void ssl_init_ocsp_certificates(server_rec s, modssl_ctx_t mctx);
		* memory. */
		DH *modssl_get_dh_params(unsigned keylen);

		/* Returns non-zero if the request was made over SSL/TLS. If sslconn
		* is non-NULL and the request is using SSL/TLS, sets *sslconn to the
		* corresponding SSLConnRec structure for the connection. */
		int modssl_request_is_tls(const request_rec r, SSLConnRec *sslconn);

		int ssl_is_challenge(conn_rec c, const char servername,
		X509 pcert, EVP_PKEY pkey);