Changeset b429e4c in mod_gnutls for src

Timestamp:

Feb 3, 2015, 6:31:46 AM (5 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

debian/master, debian/stretch-backports, jessie-backports, master, proxy-ticket, upstream

Children:

b324906

Parents:

d7a8286

git-author:

Thomas Klute <thomas2.klute@…> (02/03/15 05:46:50)

git-committer:

Thomas Klute <thomas2.klute@…> (02/03/15 06:31:46)

Message:

Cleanup handler for proxy TLS connections

When handling client connections, the TLS connection is closed when the
the data source announces "end of connection" with an EOC bucket in the
output bucket brigade. For proxy back end connections there is no such
mechanism.

This commit adds a pre cleanup hook to the connection memory pool of
proxy back end connections, which will try to close the TLS connection
and then deinit the GnuTLS session.

Note that mod_proxy might not close connections immediately, so there is
no guarantee as to when exactly the cleanup will happen. This means that
the TLS session termination might be too late to be meaningful to the
peer, but either way the GnuTLS session structure will be deinitialized
properly. If you need to ensure that connections are closed immediately,
you might want to look at the "proxy-nokeepalive" environment variable
for mod_proxy_http.

File:

• src/gnutls_hooks.c (modified) (3 diffs)

src/gnutls_hooks.c

@@ -39 +39 @@
 static apr_file_t *debug_log_fp;
 #endif
+
+#define IS_PROXY_STR(c) \
+    ((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "")
 
 static gnutls_datum_t session_ticket_key = {NULL, 0};
@@ -684 +687 @@
 }
 
+/*
+ * This function is intended as a cleanup handler for connections
+ * using GnuTLS.
+ *
+ * @param data must point to the mgs_handle_t associated with the
+ * connection
+ */
+static apr_status_t cleanup_gnutls_session(void *data)
+{
+    /* nothing to do */
+    if (data == NULL)
+        return APR_SUCCESS;
+
+    /* check if session needs closing */
+    mgs_handle_t *ctxt = (mgs_handle_t *) data;
+    if (ctxt->session != NULL)
+    {
+        int ret;
+        /* Try A Clean Shutdown */
+        do
+            ret = gnutls_bye(ctxt->session, GNUTLS_SHUT_WR);
+        while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
+        if (ret != GNUTLS_E_SUCCESS)
+            ap_log_cerror(APLOG_MARK, APLOG_INFO, ret, ctxt->c,
+                          "%s: error while closing TLS %sconnection: %s (%d)",
+                          __func__, IS_PROXY_STR(ctxt),
+                          gnutls_strerror(ret), ret);
+        else
+            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, ret, ctxt->c,
+                          "%s: TLS %sconnection closed.",
+                          __func__, IS_PROXY_STR(ctxt));
+        /* De-Initialize Session */
+        gnutls_deinit(ctxt->session);
+        ctxt->session = NULL;
+    }
+    return APR_SUCCESS;
+}
+
 static void create_gnutls_handle(conn_rec * c)
 {
@@ -727 +768 @@
                           "gnutls_session_ticket_enable_client failed: %s (%d)",
                           gnutls_strerror(err), err);
+        /* Try to close and deinit the session when the connection
+         * pool is cleared. Note that mod_proxy might not close
+         * connections immediately, if you need that, look at the
+         * "proxy-nokeepalive" environment variable for
+         * mod_proxy_http. */
+        apr_pool_pre_cleanup_register(c->pool, ctxt, cleanup_gnutls_session);
     }
     else