Changeset 72b669e in mod_gnutls for src/gnutls_io.c


Ignore:
Timestamp:
Sep 27, 2018, 1:23:25 PM (2 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master, proxy-ticket
Children:
c33ef88
Parents:
514d4d6
Message:

Refuse to send or receive over a failed TLS connection

On a failed connection (e.g. after a refused handshake) the
input/output filters would pass data unprocessed to the next filter in
the chain. On a normal server this just led to odd log messages
(because the HTTP handler couldn't process whatever the client was
sending), but for proxy HTTPS connections it caused a security issue:
The proxy request would be sent unencrypted after the failed
handshake, and the connection only closed when mod_proxy didn't
receive a valid response.

The fix is to refuse any send or receive operations through the
filters if the TLS connection failed.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_io.c

    r514d4d6 r72b669e  
    563563    }
    564564
    565     if (ctxt->status < 0) {
    566         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, ctxt->c,
    567                       "%s %s: ap_get_brigade", __func__, IS_PROXY_STR(ctxt));
    568         return ap_get_brigade(f->next, bb, mode, block, readbytes);
     565    if (ctxt->status < 0)
     566    {
     567        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c,
     568                      "%s: %sconnection failed, cannot provide data!",
     569                      __func__, IS_PROXY_STR(ctxt));
     570        apr_bucket *bucket =
     571                apr_bucket_eos_create(f->c->bucket_alloc);
     572        APR_BRIGADE_INSERT_TAIL(bb, bucket);
     573        return APR_ECONNABORTED;
    569574    }
    570575
     
    706711    }
    707712
    708     if (ctxt->status < 0) {
    709         return ap_pass_brigade(f->next, bb);
     713    if (ctxt->status < 0)
     714    {
     715        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, ctxt->c,
     716                      "%s: %sconnection failed, refusing to send.",
     717                      __func__, IS_PROXY_STR(ctxt));
     718        if (ctxt->is_proxy)
     719        {
     720            /* If mod_proxy receives an error while trying to send its
     721             * request it sends an "invalid request" error to the
     722             * client. By pretending we could send the request
     723             * mod_proxy continues its processing and sends a proper
     724             * "proxy error" message when there's no response to read. */
     725            apr_bucket *bucket = apr_bucket_eos_create(f->c->bucket_alloc);
     726            APR_BRIGADE_INSERT_TAIL(bb, bucket);
     727            return APR_SUCCESS;
     728        }
     729        else
     730            return APR_ECONNABORTED;
    710731    }
    711732
Note: See TracChangeset for help on using the changeset viewer.