httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mathihalli, Madhusudan" <mad...@hp.com>
Subject [PATCH] RE: mod_ssl not sending Alert upon close ?
Date Fri, 06 Feb 2004 21:30:00 GMT
IOW, the following patch works.

Question: Is there any other hook / pool-cleanup thing that I can hook the ssl_filter_io_shutdown()
logic into ?

-Madhu

Index: mod_ssl.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.c,v
retrieving revision 1.92
diff -u -r1.92 mod_ssl.c
--- mod_ssl.c   1 Jan 2004 13:26:21 -0000       1.92
+++ mod_ssl.c   6 Feb 2004 21:26:59 -0000
@@ -495,6 +495,50 @@
     }
 }
 
+static int ssl_hook_logger(request_rec *r)
+{
+    const char *type = "";
+    int shutdown_type;
+    conn_rec *c = r->connection;
+    SSLConnRec *sslconn = myConnConfig(c);
+    SSL *ssl = sslconn->ssl;
+
+
+    if (!ssl) {
+        return OK;
+    }
+
+    switch (sslconn->shutdown_type) {
+      case SSL_SHUTDOWN_TYPE_UNCLEAN:
+        /* perform no close notify handshake at all
+           (violates the SSL/TLS standard!) */
+        shutdown_type = SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN;
+        type = "unclean";
+        break;
+      case SSL_SHUTDOWN_TYPE_ACCURATE:
+        /* send close notify and wait for clients close notify
+           (standard compliant, but usually causes connection hangs) */
+        shutdown_type = 0;
+        type = "accurate";
+        break;
+      default:
+        /*
+         * case SSL_SHUTDOWN_TYPE_UNSET:
+         * case SSL_SHUTDOWN_TYPE_STANDARD:
+         */
+        /* send close notify, but don't wait for clients close notify
+           (standard compliant and safe, so it's the DEFAULT!) */
+        shutdown_type = SSL_RECEIVED_SHUTDOWN;
+        type = "standard";
+        break;
+    }
+
+    SSL_set_shutdown(ssl, shutdown_type);
+    SSL_smart_shutdown(ssl);
+
+    return OK;
+}
+
 /*
  *  the module registration phase
  */
@@ -516,6 +560,7 @@
     ap_hook_auth_checker  (ssl_hook_Auth,          NULL,NULL, APR_HOOK_MIDDLE);
     ap_hook_post_read_request(ssl_hook_ReadReq,    NULL,NULL, APR_HOOK_MIDDLE);
     ap_hook_insert_filter (ssl_hook_Insert_Filter, NULL,NULL, APR_HOOK_MIDDLE);
+    ap_hook_log_transaction(ssl_hook_logger,       NULL,NULL, APR_HOOK_MIDDLE);
 /*    ap_hook_handler       (ssl_hook_Upgrade,       NULL,NULL, APR_HOOK_MIDDLE); */
 
     ssl_var_register();

-----Original Message-----
From: Mathihalli, Madhusudan 
Sent: Friday, February 06, 2004 7:57 AM
To: dev@httpd.apache.org
Subject: RE: mod_ssl not sending Alert upon close ?


Nope.. It didn't work that way.

The only way I've been able to get the Alert message on the client is by using the log_transaction
hook to do the SSL_shutdown() - it's a ugly hack.

The more I think about it, I feel there's a need for something like pre-close hook OR have
the lingering_close invoke the filter code for _CONNECTION_TYPE filters.

-Madhu



From: Joe Orton [mailto:jorton@redhat.com]
Sent: Fri 2/6/2004 7:03 AM
To: dev@httpd.apache.org
Subject: Re: mod_ssl not sending Alert upon close ?


On Thu, Feb 05, 2004 at 02:03:29PM -0800, Mathihalli, Madhusudan wrote:
> Okay. here's what I think is happening : (Client => C Server -> S)

You're right, the alert is never getting sent!

> C  -> S : initiates connection
> C <-> S : handshake
> S  -> C : server sends application data
> S  -> C : server tries to read from the socket
>           -> finds nothing (0 bytes returned)
>           -> assumes transaction is completed, and starts cleanup process
>           -> closes the connection first
>           -> frees the pool, which invokes ssl_io_filter_cleanup() and inturn ssl_io_filter_shutdown()
>           -> ssl_io_filter_shutdown() tries to send 'Close notify'
>              OOPS ! The connection has already been terminated

Yes - it's too late to rely on pool cleanups to send the alert: I think
the right place to do this is when the output filter gets the EOS
bucket: the patch below fixes for my tests, can you test against MSIE?

I'm not convinced about the ordering of the flush/shutdown...

--- modules/ssl/ssl_engine_io.c 23 Jan 2004 16:50:24 -0000      1.114
+++ modules/ssl/ssl_engine_io.c 6 Feb 2004 14:55:16 -0000
@@ -1404,6 +1404,11 @@
          * These types do not require translation by OpenSSL. 
          */
         if (APR_BUCKET_IS_EOS(bucket) || APR_BUCKET_IS_FLUSH(bucket)) {
+            if (APR_BUCKET_IS_EOS(bucket)) {
+                status = ssl_filter_io_shutdown(filter_ctx, f->c, 0);
+                if (status) break;
+            }
+
             if (bio_filter_out_flush(filter_ctx->pbioWrite) < 0) {
                 status = outctx->rc;
                 break;

Mime
View raw message