Commit aafb20bc authored by Rainer Jung's avatar Rainer Jung
Browse files

server/mpm_unix.c (dummy_connection): Use a TLS 1.0 close_notify 

alert if the chosen listener is configured for https; not perfect
but better than sending an HTTP request.  Adjust comments.

Backport of r1327036 and r1327080 from turnk,
resp. r1356884 from 2.4.x.

Submitted by: jorton
Reviewed by: covener, wrowe
Backported by: rjung


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1445100 13f79535-47bb-0310-9956-ffa450edef68
parent bc20c8ec

CHANGES

+3 −0
Original line number Diff line number Diff line 
                                                         -*- coding: utf-8 -*-

Changes with Apache 2.2.24



  *) core: Use a TLS 1.0 close_notify alert for internal dummy connection if

     the chosen listener is configured for https. [Joe Orton]



  *) mod_ssl: Add new directive SSLCompression to disable TLS-level

     compression. PR 53219. [Björn Jacke <bjoern j3e de>, Stefan Fritsch]

STATUS

+0 −10
Original line number Diff line number Diff line
@@ -120,16 +120,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: 
             https://issues.apache.org/bugzilla/show_bug.cgi?id=53134#c10

             by the patch author)



   * server/mpm_unix.c (dummy_connection): Use a TLS 1.0 close_notify

     alert if the chosen listener is configured for https; not perfect

     but better than sending an HTTP request.  Adjust comments.

     Based on a patch from: Michael Weiser <michael weiser.dinsnail.net>

     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1327036 and

                  http://svn.apache.org/viewvc?view=revision&revision=1327080

     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356884

     2.2.x patch: http://people.apache.org/~rjung/patches/dummy_connection-https-tls-2_2.patch

     +1: rjung, covener, wrowe



   * ab: add TLS1.1/TLS1.2 options to -f switch, and adapt output

     to more accurately report the negotiated protocol. PR 53916.

     trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1395225

server/mpm_common.c

+34 −20
Original line number Diff line number Diff line
@@ -636,14 +636,14 @@ static apr_status_t pod_signal_internal(ap_pod_t *pod) 
    return rv;

}



/* This function connects to the server, then immediately closes the connection.

 * This permits the MPM to skip the poll when there is only one listening

 * socket, because it provides a alternate way to unblock an accept() when

 * the pod is used.

 */

/* This function connects to the server and sends enough data to

 * ensure the child wakes up and processes a new connection.  This

 * permits the MPM to skip the poll when there is only one listening

 * socket, because it provides a alternate way to unblock an accept()

 * when the pod is used.  */

static apr_status_t dummy_connection(ap_pod_t *pod)

{

    char *srequest;

    const char *data;

    apr_status_t rv;

    apr_socket_t *sock;

    apr_pool_t *p;
@@ -697,24 +697,38 @@ static apr_status_t dummy_connection(ap_pod_t *pod) 
        return rv;

    }



    /* Create the request string. We include a User-Agent so that

     * adminstrators can track down the cause of the odd-looking

     * requests in their logs.

     */

    srequest = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ",

    if (lp->protocol && strcasecmp(lp->protocol, "https") == 0) {

        /* Send a TLS 1.0 close_notify alert.  This is perhaps the

         * "least wrong" way to open and cleanly terminate an SSL

         * connection.  It should "work" without noisy error logs if

         * the server actually expects SSLv3/TLSv1.  With

         * SSLv23_server_method() OpenSSL's SSL_accept() fails

         * ungracefully on receipt of this message, since it requires

         * an 11-byte ClientHello message and this is too short. */

        static const unsigned char tls10_close_notify[7] = {

            '\x15',         /* TLSPlainText.type = Alert (21) */

            '\x03', '\x01', /* TLSPlainText.version = {3, 1} */

            '\x00', '\x02', /* TLSPlainText.length = 2 */

            '\x01',         /* Alert.level = warning (1) */

            '\x00'          /* Alert.description = close_notify (0) */

        };

        data = (const char *)tls10_close_notify;

        len = sizeof(tls10_close_notify);

    }

    else /* ... XXX other request types here? */ {

        /* Create an HTTP request string.  We include a User-Agent so

         * that adminstrators can track down the cause of the

         * odd-looking requests in their logs.  A complete request is

         * used since kernel-level filtering may require that much

         * data before returning from accept(). */

        data = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ",

                           ap_get_server_banner(),

                           " (internal dummy connection)\r\n\r\n", NULL);

        len = strlen(data);

    }



    /* Since some operating systems support buffering of data or entire

     * requests in the kernel, we send a simple request, to make sure

     * the server pops out of a blocking accept().

     */

    /* XXX: This is HTTP specific. We should look at the Protocol for each

     * listener, and send the correct type of request to trigger any Accept

     * Filters.

     */

    len = strlen(srequest);

    apr_socket_send(sock, srequest, &len);

    apr_socket_send(sock, data, &len);

    apr_socket_close(sock);

    apr_pool_destroy(p);