Changeset 72b669e in mod_gnutls for include

Timestamp:

Sep 27, 2018, 1:23:25 PM (4 years ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

asyncio, debian/master, main, master, proxy-ticket

Children:

c33ef88

Parents:

514d4d6

Message:

Refuse to send or receive over a failed TLS connection

On a failed connection (e.g. after a refused handshake) the
input/output filters would pass data unprocessed to the next filter in
the chain. On a normal server this just led to odd log messages
(because the HTTP handler couldn't process whatever the client was
sending), but for proxy HTTPS connections it caused a security issue:
The proxy request would be sent unencrypted after the failed
handshake, and the connection only closed when mod_proxy didn't
receive a valid response.

The fix is to refuse any send or receive operations through the
filters if the TLS connection failed.

File:

• include/mod_gnutls.h.in (modified) (2 diffs)

include/mod_gnutls.h.in

@@ -204 +204 @@
 } mgs_char_buffer_t;
 
-/* GnuTLS Handle */
+/** GnuTLS connection handle */
 typedef struct {
         /* Server configuration record */
@@ -242 +242 @@
         /* Output length */
     apr_size_t output_length;
-        /* General Status */
+    /** Connection status: 0 before (re-)handshake, 1 when up, -1 on
+     * error (checks use status < 0 or status > 0) */
     int status;
 } mgs_handle_t;