httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 18339] New: - Handling of SSL errors on non-HTTP connections
Date Tue, 25 Mar 2003 20:28:35 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18339>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=18339

Handling of SSL errors on non-HTTP connections

           Summary: Handling of SSL errors on non-HTTP connections
           Product: Apache httpd-2.0
           Version: 2.0.44
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: lendl@nic.at


I'm developing an Apache 2.0 module for EPP (see
http://sourceforge.net/projects/aepps), which also utilizes mod_ssl. The calling
patters thus are likely to be different than with HTTP. 

Problem description: When the SSL-negotiation fails (missing client cert, server
config error, ...), the connection is closed TCP-wise, but this is not
communicated to the connection handler, and any further reads (i.e.
ap_get_brigade) will cause a core dump.

I've nailed the problem down to the state-handling of an abandoned connection.
In ssl_io_filter_input there is the following code-fragment:
    if (f->c->aborted) {
        /* XXX: Ok, if we aborted, we ARE at the EOS.  We also have
         * aborted.  This 'double protection' is probably redundant,
         * but also effective against just about anything.
         */
which makes a lot of sense. I seem to run into a case where c->aborted is not
set even though the connection has been aborted. The error seems to be within
ssl_filter_io_shutdown, where c->aborted is *not* touched (in my case, nobody is
setting c->aborted to true). The following patch seems to fix the problem for me:

--- httpd-2.0.44/modules/ssl/ssl_engine_io.c    Mon Jan 13 18:35:22 2003
+++ httpd-2.0.44/modules/ssl/ssl_engine_io.c.new        Tue Mar 25 21:07:47 2003
@@ -997,6 +997,7 @@
     SSL_free(ssl);
     sslconn->ssl = NULL;
     filter_ctx->pssl = NULL; /* so filters know we've been shutdown */
+    c->aborted = 1;

     return APR_SUCCESS;
 }

Please apply it (or anything you think is more appropriate) against the CVS.

Thanks.

/ol

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message