Changeset 07d548d in mod_gnutls


Ignore:
Timestamp:
Jan 26, 2015, 11:41:05 AM (8 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
asyncio, debian/master, debian/stretch-backports, jessie-backports, main, master, proxy-ticket, upstream
Children:
5342265
Parents:
accbb83
Message:

Properly use SSLProxyEngine option

ssl_proxy_enable now checks if SSLProxyEngine is enabled, and fails with
an error log entry if not. If it is, TLS is enabled in the mod_gnutls
connection structure.

The pre connection hook (mgs_hook_pre_connection) is changed such that
it does not decline any connection whatsoever if TLS proxy is enabled.

Not that actually using TLS in a proxy backend is still unsupported and
will NOT work.

Location:
src
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • src/gnutls_hooks.c

    raccbb83 r07d548d  
    753753        ap_get_module_config(c->conn_config, &gnutls_module);
    754754
    755     if ((sc && (!sc->enabled || sc->proxy_enabled == GNUTLS_ENABLED_TRUE))
    756         || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
     755    if ((sc && (!sc->enabled)) || (ctxt && ctxt->enabled == GNUTLS_ENABLED_FALSE))
    757756    {
    758757        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s declined connection",

  • src/mod_gnutls.c

    raccbb83 r07d548d  
    112112int ssl_proxy_enable(conn_rec *c)
    113113{
     114    /* check if TLS proxy support is enabled */
    114115    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    115116        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    116     sc->proxy_enabled = GNUTLS_ENABLED_TRUE;
    117     sc->enabled = GNUTLS_ENABLED_FALSE;
     117    if (sc->proxy_enabled != GNUTLS_ENABLED_TRUE)
     118    {
     119        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
     120                      "%s: mod_proxy requested TLS proxy, but not enabled "
     121                      "for %s", __func__, sc->cert_cn);
     122        return 0;
     123    }
     124
     125    /* enable TLS for this connection */
     126    mgs_handle_t *ctxt = (mgs_handle_t *)
     127        ap_get_module_config(c->conn_config, &gnutls_module);
     128    if (ctxt == NULL)
     129    {
     130        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
     131                      "%s: allocating connection memory", __func__);
     132        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     133        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     134    }
     135    ctxt->enabled = GNUTLS_ENABLED_TRUE;
    118136    return 1;
    119137}
Note: See TracChangeset for help on using the changeset viewer.