From dev-return-59192-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org Tue Nov 06 20:46:04 2007 Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 81833 invoked from network); 6 Nov 2007 20:46:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 6 Nov 2007 20:46:03 -0000 Received: (qmail 59827 invoked by uid 500); 6 Nov 2007 20:45:48 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 59757 invoked by uid 500); 6 Nov 2007 20:45:48 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 59746 invoked by uid 99); 6 Nov 2007 20:45:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Nov 2007 12:45:47 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received: from [140.211.11.9] (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 06 Nov 2007 20:45:59 +0000 Received: (qmail 81681 invoked by uid 2161); 6 Nov 2007 20:45:39 -0000 Received: from [192.168.2.4] (euler.heimnetz.de [192.168.2.4]) by cerberus.heimnetz.de (Postfix on SuSE Linux 7.0 (i386)) with ESMTP id 12CB41721C for ; Tue, 6 Nov 2007 21:45:27 +0100 (CET) Message-ID: <4730D276.7020407@apache.org> Date: Tue, 06 Nov 2007 21:45:42 +0100 From: Ruediger Pluem User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.8) Gecko/20071009 SeaMonkey/1.1.5 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: svn commit: r592446 - in /httpd/httpd/trunk: CHANGES modules/ssl/mod_ssl.c modules/ssl/ssl_engine_io.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h References: <20071106150234.247231A9832@eris.apache.org> In-Reply-To: <20071106150234.247231A9832@eris.apache.org> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org On 11/06/2007 04:02 PM, jorton@apache.org wrote: > Author: jorton > Date: Tue Nov 6 07:02:32 2007 > New Revision: 592446 > > URL: http://svn.apache.org/viewvc?rev=592446&view=rev > Log: > mod_ssl: Fix forever-broken TLS upgrade support; perform the upgrade > in the post_read_request hook rather than in a filter, and fix the > filter insertion issue: > > * modules/ssl/ssl_engine_kernel.c (upgrade_connection): New function, > mostly moved from ssl_io_filter_Upgrade. > (ssl_hook_ReadReq): Call upgrade_connection to upgrade to TLS if > required. > > * modules/ssl/ssl_engine_io.c (ssl_io_filter_Upgrade): Remove > function. > (ssl_io_input_add_filter, ssl_io_filter_init): Take a request_rec > pointer and pass to ap_add_*_filter to ensure the filter chain > is modified correctly; remove it from the filter afterwards. Can you explain this in more detail please? I currently don't understand what is going wrong if you call ap_add_input_filter / ap_add_output_filter with NULL instead of r in the case of an upgrade (where r != NULL). Is it because INSERT_BEFORE delivers the wrong value because f->r == NULL for all connection level filters? Currently I see the danger that the connection level filter ssl_io_filter is allocated out of the request pool by add_any_filter_handle (because r != NULL) instead of the connection pool. I think that even in the upgrade case the lifetime of ssl_io_filter is the same as the (remaining) lifetime of the connection and that this lifetime might be longer than that of r->pool. Regards RĂ¼diger