Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 77650 invoked from network); 8 Dec 2004 16:11:40 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 8 Dec 2004 16:11:40 -0000 Received: (qmail 57706 invoked by uid 500); 8 Dec 2004 16:10:35 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 57526 invoked by uid 500); 8 Dec 2004 16:10:32 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 57456 invoked by uid 99); 8 Dec 2004 16:10:31 -0000 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from sinclair.provo.novell.com (HELO sinclair.provo.novell.com) (137.65.81.169) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 08 Dec 2004 08:10:28 -0800 Received: from INET-PRV-MTA by sinclair.provo.novell.com with Novell_GroupWise; Wed, 08 Dec 2004 09:10:26 -0700 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.3 Beta Date: Wed, 08 Dec 2004 09:10:12 -0700 From: "Brad Nicholes" To: Subject: Testing TLS Upgrade (was: Re: Patch for bug 18757 breaks TLS upgrade) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N FYI, if anybody else is interesting is testing the TLS upgrade functionality, there is a small test utility (http://www.apache.org/~bnicholes/tlsupgrade.c) that can be used to send an upgradeable GET or POST request. Brad >>> BNICHOLES@novell.com Wednesday, December 08, 2004 9:01:22 AM >>> It may be a bit of a hack, but it seems reasonable to me. The best part is that it works. +1 Brad >>> jorton@redhat.com Wednesday, December 08, 2004 2:33:48 AM >>> On Tue, Dec 07, 2004 at 05:14:40PM -0700, Brad Nicholes wrote: > OK, now that you have enabled upgrades for anything other than > OPTIONS, I see the problem. Even though there is a content-length > included in the header, you are saying that the header is being sent > encrypted but the content is not, correct? And the reason for this is > because there is more than one filter stack that needs to be modified? Yes. I think this fixes it, it's a bit of a hack though: Index: modules/ssl/ssl_engine_io.c =================================================================== --- modules/ssl/ssl_engine_io.c (revision 111159) +++ modules/ssl/ssl_engine_io.c (working copy) @@ -1184,22 +1184,26 @@ apr_bucket *b; SSL *ssl; - /* Just remove the filter, if it doesn't work the first time, it won't - * work at all for this request. - */ - ap_remove_output_filter(f); + /* f->ctx is non-NULL after the first call to this filter: it's + * necessary to pass through directly to the connection output_filters + * for the remainder of this request, since the SSL output filter has + * not been added to r->output_filters for this request. */ + if (f->ctx) { + return ap_pass_brigade(f->c->output_filters, bb); + } - /* No need to ensure that this is a server with optional SSL, the filter - * is only inserted if that is true. - */ - + /* No need to ensure that this is a server with optional SSL, the + * filter is only inserted if that is true. */ upgrade = apr_table_get(r->headers_in, "Upgrade"); if (upgrade == NULL || strcmp(ap_getword(r->pool, &upgrade, ','), "TLS/1.0")) { /* "Upgrade: TLS/1.0, ..." header not found, don't do Upgrade */ + ap_remove_output_filter(f); return ap_pass_brigade(f->next, bb); } + f->ctx = f; /* flag as non-NULL for subsequent passes */ + apr_table_unset(r->headers_out, "Upgrade"); /* Send the interim 101 response. */ @@ -1245,7 +1249,6 @@ pass the brigade off to the connection based output filters so that the request can complete encrypted */ return ap_pass_brigade(f->c->output_filters, bb); - } static apr_status_t ssl_io_filter_input(ap_filter_t *f,