Changeset 8ac7c0d in mod_gnutls


Ignore:
Timestamp:
Feb 11, 2016, 2:48:07 PM (3 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
a038290
Parents:
7aeabcb
git-author:
Thomas Klute <thomas2.klute@…> (02/11/16 14:21:17)
git-committer:
Thomas Klute <thomas2.klute@…> (02/11/16 14:48:07)
Message:

Register "ssl_is_https" function for compatibility with mod_rewrite

mod_rewrite calls this function to fill its %{HTTPS} special variable,
and not providing it meant that conditions like

RewriteCond? "%{HTTPS}" "off"

would match HTTPS connections using mod_gnutls. When used to redirect
clients from HTTP to HTTPS connections, this could lead to redirection
loops as reported in Debian bug #514005 [1]. In addition to
registering the function this commit also adds a test chase that
checks if an HTTP to HTTPS redirection works.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514005

Files:
2 added
5 edited

Legend:

Unmodified
Added
Removed
  • configure.ac

    r7aeabcb r8ac7c0d  
    191191Listen ${i}:\${TEST_PORT}"
    192192done
     193dnl HTTP ports, only active if TEST_HTTP_PORT is defined
     194LISTEN_LIST="${LISTEN_LIST}
     195<IfDefine TEST_HTTP_PORT>"
     196for i in ${TEST_IP}; do
     197        LISTEN_LIST="${LISTEN_LIST}
     198        Listen ${i}:\${TEST_HTTP_PORT}"
     199done
     200LISTEN_LIST="${LISTEN_LIST}
     201</IfDefine>"
    193202AC_SUBST(LISTEN_LIST)
    194203AM_SUBST_NOTMAKE(LISTEN_LIST)
  • src/mod_gnutls.c

    r7aeabcb r8ac7c0d  
    6969    APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
    7070    APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
    71 }
    72 
     71
     72    /* mod_rewrite calls this function to detect HTTPS */
     73    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
     74}
     75
     76
     77
     78/*
     79 * mod_rewrite calls this function to fill %{HTTPS}. A non-zero return
     80 * value means that HTTPS is in use.
     81 */
    7382int ssl_is_https(conn_rec *c)
    7483{
    7584    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    7685        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    77     if(sc->enabled == 0 || sc->non_ssl_request == 1) {
     86    mgs_handle_t *ctxt = (mgs_handle_t *)
     87        ap_get_module_config(c->conn_config, &gnutls_module);
     88
     89    if(sc->enabled == GNUTLS_ENABLED_FALSE
     90       || ctxt == NULL
     91       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
     92    {
    7893        /* SSL/TLS Disabled or Plain HTTP Connection Detected */
    7994        return 0;
     
    8297    return 1;
    8398}
     99
     100
    84101
    85102int ssl_engine_disable(conn_rec *c)
  • test/Makefile.am

    r7aeabcb r8ac7c0d  
    2828        test-23_TLS_reverse_proxy_mismatched_priorities.bash \
    2929        test-24_pkcs11_cert.bash \
    30         test-25_Disable_TLS_1.0.bash
     30        test-25_Disable_TLS_1.0.bash \
     31        test-26_HTTPS_server_var.bash
    3132
    3233TESTS = $(dist_check_SCRIPTS)
  • test/README

    r7aeabcb r8ac7c0d  
    9494request based on the files described above. Note that some tests take
    9595additional steps, e.g. starting another server to act as proxy
    96 backend, and there is no technical requirement to use "runtests".
     96backend, and at least one does not use "runtests" at all.
    9797
    9898By default (if "unshare" is available and has the permissions required
  • test/tests/Makefile.am

    r7aeabcb r8ac7c0d  
    2525        23_TLS_reverse_proxy_mismatched_priorities/apache.conf 23_TLS_reverse_proxy_mismatched_priorities/backend.conf 23_TLS_reverse_proxy_mismatched_priorities/gnutls-cli.args 23_TLS_reverse_proxy_mismatched_priorities/input 23_TLS_reverse_proxy_mismatched_priorities/output \
    2626        24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \
    27         25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input
     27        25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
     28        26_HTTPS_server_var/apache.conf
Note: See TracChangeset for help on using the changeset viewer.