Changeset 8ac7c0d in mod_gnutls

Timestamp:

Feb 11, 2016, 2:48:07 PM (4 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, upstream

Children:

a038290

Parents:

7aeabcb

git-author:

Thomas Klute <thomas2.klute@…> (02/11/16 14:21:17)

git-committer:

Thomas Klute <thomas2.klute@…> (02/11/16 14:48:07)

Message:

Register "ssl_is_https" function for compatibility with mod_rewrite

mod_rewrite calls this function to fill its %{HTTPS} special variable,
and not providing it meant that conditions like

RewriteCond? "%{HTTPS}" "off"

would match HTTPS connections using mod_gnutls. When used to redirect
clients from HTTP to HTTPS connections, this could lead to redirection
loops as reported in Debian bug #514005 [1]. In addition to
registering the function this commit also adds a test chase that
checks if an HTTP to HTTPS redirection works.

[1] ​https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514005

Files:

• configure.ac (modified) (1 diff)
• src/mod_gnutls.c (modified) (2 diffs)
• test/Makefile.am (modified) (1 diff)
• test/README (modified) (1 diff)
• test/test-26_HTTPS_server_var.bash (added)
• test/tests/26_HTTPS_server_var/apache.conf (added)
• test/tests/Makefile.am (modified) (1 diff)

configure.ac

@@ -191 +191 @@
 Listen ${i}:\${TEST_PORT}"
 done
+dnl HTTP ports, only active if TEST_HTTP_PORT is defined
+LISTEN_LIST="${LISTEN_LIST}
+<IfDefine TEST_HTTP_PORT>"
+for i in ${TEST_IP}; do
+        LISTEN_LIST="${LISTEN_LIST}
+        Listen ${i}:\${TEST_HTTP_PORT}"
+done
+LISTEN_LIST="${LISTEN_LIST}
+</IfDefine>"
 AC_SUBST(LISTEN_LIST)
 AM_SUBST_NOTMAKE(LISTEN_LIST)

src/mod_gnutls.c

@@ -69 +69 @@
     APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable);
     APR_REGISTER_OPTIONAL_FN(ssl_engine_disable);
-}
-
+
+    /* mod_rewrite calls this function to detect HTTPS */
+    APR_REGISTER_OPTIONAL_FN(ssl_is_https);
+}
+
+
+
+/*
+ * mod_rewrite calls this function to fill %{HTTPS}. A non-zero return
+ * value means that HTTPS is in use.
+ */
 int ssl_is_https(conn_rec *c)
 {
     mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
         ap_get_module_config(c->base_server->module_config, &gnutls_module);
-    if(sc->enabled == 0 || sc->non_ssl_request == 1) {
+    mgs_handle_t *ctxt = (mgs_handle_t *)
+        ap_get_module_config(c->conn_config, &gnutls_module);
+
+    if(sc->enabled == GNUTLS_ENABLED_FALSE
+       || ctxt == NULL
+       || ctxt->enabled == GNUTLS_ENABLED_FALSE)
+    {
         /* SSL/TLS Disabled or Plain HTTP Connection Detected */
         return 0;
@@ -82 +97 @@
     return 1;
 }
+
+
 
 int ssl_engine_disable(conn_rec *c)

test/Makefile.am

@@ -28 +28 @@
         test-23_TLS_reverse_proxy_mismatched_priorities.bash \
         test-24_pkcs11_cert.bash \
-        test-25_Disable_TLS_1.0.bash
+        test-25_Disable_TLS_1.0.bash \
+        test-26_HTTPS_server_var.bash
 
 TESTS = $(dist_check_SCRIPTS)

test/README

@@ -94 +94 @@
 request based on the files described above. Note that some tests take
 additional steps, e.g. starting another server to act as proxy
-backend, and there is no technical requirement to use "runtests".
+backend, and at least one does not use "runtests" at all.
 
 By default (if "unshare" is available and has the permissions required

test/tests/Makefile.am

@@ -25 +25 @@
         23_TLS_reverse_proxy_mismatched_priorities/apache.conf 23_TLS_reverse_proxy_mismatched_priorities/backend.conf 23_TLS_reverse_proxy_mismatched_priorities/gnutls-cli.args 23_TLS_reverse_proxy_mismatched_priorities/input 23_TLS_reverse_proxy_mismatched_priorities/output \
         24_pkcs11_cert/apache.conf 24_pkcs11_cert/gnutls-cli.args 24_pkcs11_cert/input 24_pkcs11_cert/output \
-        25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input
+        25_Disable_TLS_1.0/apache.conf 25_Disable_TLS_1.0/fail.client 25_Disable_TLS_1.0/gnutls-cli.args 25_Disable_TLS_1.0/input \
+        26_HTTPS_server_var/apache.conf