From notifications-return-337-archive-asf-public=cust-asf.ponee.io@httpd.apache.org Wed Jul 7 12:47:12 2021 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id 9727318066B for ; Wed, 7 Jul 2021 14:47:12 +0200 (CEST) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with SMTP id 5454361976 for ; Wed, 7 Jul 2021 12:47:11 +0000 (UTC) Received: (qmail 16409 invoked by uid 500); 7 Jul 2021 12:47:10 -0000 Mailing-List: contact notifications-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@httpd.apache.org Delivered-To: mailing list notifications@httpd.apache.org Received: (qmail 16389 invoked by uid 99); 7 Jul 2021 12:47:09 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Jul 2021 12:47:09 +0000 From: =?utf-8?q?GitBox?= To: notifications@httpd.apache.org Subject: =?utf-8?q?=5BGitHub=5D_=5Bhttpd=5D_rpluem_commented_on_a_change_in_pull_requ?= =?utf-8?q?est_=23203=3A_new_ap=5Fssl=5Fbind=5Foutgoing_for_multi_ssl_suppor?= =?utf-8?q?t_in_proxy_connections?= Message-ID: <162566202981.26479.588821559781920042.asfpy@gitbox.apache.org> Date: Wed, 07 Jul 2021 12:47:09 -0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit In-Reply-To: References: rpluem commented on a change in pull request #203: URL: https://github.com/apache/httpd/pull/203#discussion_r665335854 ########## File path: server/ssl.c ########## @@ -85,6 +96,77 @@ AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c) return r; } +static int ssl_engine_set(conn_rec *c, + ap_conf_vector_t *per_dir_config, + int proxy, int enable) +{ + if (proxy) { + return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK; + } + else if (module_ssl_engine_set) { + return module_ssl_engine_set(c, per_dir_config, 0, enable); + } + else if (enable && module_ssl_proxy_enable) { + return module_ssl_proxy_enable(c); + } + else if (!enable && module_ssl_engine_disable) { + return module_ssl_engine_disable(c); + } + return 0; +} + +static int ssl_proxy_enable(conn_rec *c) +{ + return ap_ssl_bind_outgoing(c, NULL, 1); +} + +static int ssl_engine_disable(conn_rec *c) +{ + return ap_ssl_bind_outgoing(c, NULL, 0); +} + +AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf, + int enable_ssl) +{ + int rv, enabled = 0; + + c->outgoing = 1; + rv = ap_run_ssl_bind_outgoing(c, dir_conf, enable_ssl); + enabled = (rv == OK); + if (enable_ssl && !enabled) { + /* the hooks did not take over. Is there an old skool optional that will? */ + if (module_ssl_engine_set) { + enabled = module_ssl_engine_set(c, dir_conf, 1, 1); + } + else if (module_ssl_proxy_enable) { + enabled = module_ssl_proxy_enable(c); + } + } + else { + /* !enable_ssl || enabled + * any existing optional funcs need to not enable here */ + if (module_ssl_engine_set) { + module_ssl_engine_set(c, dir_conf, 1, 0); + } + else if (module_ssl_engine_disable) { + module_ssl_engine_disable(c); + } + } + if (enable_ssl && !enabled) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, + c, APLOGNO(01961) " failed to enable ssl support " + "[Hint: if using mod_ssl, see SSLProxyEngine]"); + return DECLINED; + } + return OK; +} + +AP_DECLARE(int) ap_ssl_has_outgoing_handlers(void) +{ + return (_hooks.link_ssl_bind_outgoing && _hooks.link_ssl_bind_outgoing->nelts > 0) Review comment: Shouldn't we use `ap_hook_get_ssl_bind_outgoing()`` instead of `_hooks.link_ssl_bind_outgoing`? ########## File path: include/http_ssl.h ########## @@ -49,6 +51,40 @@ AP_DECLARE_HOOK(int,ssl_conn_is_ssl,(conn_rec *c)) */ AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c); +/** + * This hook declares a connection to be outgoing and the configuration that applies to it. + * This hook can be called several times in the lifetime of an outgoing connection, e.g. + * when it is re-used in different request contexts. It will at least be called after the + * connection was created and before the pre-connection hooks is invoked. + * All outgoing-connection hooks are run until one returns something other than ok or decline. + * if enable_ssl != 0, a hook that sets up SSL for the connection needs to return DONE. + * + * @param c The connection on which requests/data are to be sent. + * @param dir_conf The directory configuration in which this connection is being used. + * @param enable_ssl If != 0, the SSL protocol should be enabled for this connection. + * @return OK or DECLINED, DONE when ssl was enabled + */ Review comment: First of all sorry for missing this on #190. This is a run first hook. Hence it stops when the hook participant returns anything else but DECLINED. 1. What should be the difference between DONE and OK then? OK says I did not enable SSL, but I wanted to stop the hook? 2. The hook implementation in mod_ssl returns OK and not done when it enabled SSL. And `ap_ssl_bind_outgoing` checks for `OK` and not `DONE` I think the fix is to adjust the documentation (`OK` signals enabled, `DECLINED` signals nothing done) here and leave the code as is. ########## File path: server/ssl.c ########## @@ -85,6 +96,77 @@ AP_DECLARE(int) ap_ssl_conn_is_ssl(conn_rec *c) return r; } +static int ssl_engine_set(conn_rec *c, + ap_conf_vector_t *per_dir_config, + int proxy, int enable) +{ + if (proxy) { + return ap_ssl_bind_outgoing(c, per_dir_config, enable) == OK; + } + else if (module_ssl_engine_set) { + return module_ssl_engine_set(c, per_dir_config, 0, enable); + } + else if (enable && module_ssl_proxy_enable) { + return module_ssl_proxy_enable(c); + } + else if (!enable && module_ssl_engine_disable) { + return module_ssl_engine_disable(c); + } + return 0; +} + +static int ssl_proxy_enable(conn_rec *c) +{ + return ap_ssl_bind_outgoing(c, NULL, 1); +} + +static int ssl_engine_disable(conn_rec *c) +{ + return ap_ssl_bind_outgoing(c, NULL, 0); +} + +AP_DECLARE(int) ap_ssl_bind_outgoing(conn_rec *c, struct ap_conf_vector_t *dir_conf, + int enable_ssl) +{ + int rv, enabled = 0; + + c->outgoing = 1; + rv = ap_run_ssl_bind_outgoing(c, dir_conf, enable_ssl); + enabled = (rv == OK); + if (enable_ssl && !enabled) { + /* the hooks did not take over. Is there an old skool optional that will? */ + if (module_ssl_engine_set) { + enabled = module_ssl_engine_set(c, dir_conf, 1, 1); + } + else if (module_ssl_proxy_enable) { + enabled = module_ssl_proxy_enable(c); + } + } + else { + /* !enable_ssl || enabled + * any existing optional funcs need to not enable here */ + if (module_ssl_engine_set) { + module_ssl_engine_set(c, dir_conf, 1, 0); + } + else if (module_ssl_engine_disable) { + module_ssl_engine_disable(c); + } + } + if (enable_ssl && !enabled) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, Review comment: Maybe I miss the point, but this looks like the same condition as on line 136. Can't we do it at the end of the if block starting in line 136? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org For queries about this service, please contact Infrastructure at: users@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscribe@httpd.apache.org For additional commands, e-mail: notifications-help@httpd.apache.org