httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: svn commit: r592446 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Date Tue, 06 Nov 2007 20:45:42 GMT

On 11/06/2007 04:02 PM, wrote:
> Author: jorton
> Date: Tue Nov  6 07:02:32 2007
> New Revision: 592446
> URL:
> Log:
> mod_ssl: Fix forever-broken TLS upgrade support; perform the upgrade
> in the post_read_request hook rather than in a filter, and fix the
> filter insertion issue:
> * modules/ssl/ssl_engine_kernel.c (upgrade_connection): New function,
> mostly moved from ssl_io_filter_Upgrade.
> (ssl_hook_ReadReq): Call upgrade_connection to upgrade to TLS if
> required.
> * modules/ssl/ssl_engine_io.c (ssl_io_filter_Upgrade): Remove
> function.
> (ssl_io_input_add_filter, ssl_io_filter_init): Take a request_rec
> pointer and pass to ap_add_*_filter to ensure the filter chain
> is modified correctly; remove it from the filter afterwards.

Can you explain this in more detail please? I currently don't understand
what is going wrong if you call ap_add_input_filter / ap_add_output_filter
with NULL instead of r in the case of an upgrade (where r != NULL). Is it
because INSERT_BEFORE delivers the wrong value because f->r == NULL for all
connection level filters?

Currently I see the danger that the connection level filter ssl_io_filter
is allocated out of the request pool by add_any_filter_handle (because r != NULL)
instead of the connection pool. I think that even in the upgrade case the lifetime of
ssl_io_filter is the same as the (remaining) lifetime of the connection and that
this lifetime might be longer than that of r->pool.



View raw message