Changeset b429e4c in mod_gnutls for src/gnutls_hooks.c


Ignore:
Timestamp:
Feb 3, 2015, 6:31:46 AM (5 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, upstream
Children:
b324906
Parents:
d7a8286
git-author:
Thomas Klute <thomas2.klute@…> (02/03/15 05:46:50)
git-committer:
Thomas Klute <thomas2.klute@…> (02/03/15 06:31:46)
Message:

Cleanup handler for proxy TLS connections

When handling client connections, the TLS connection is closed when the
the data source announces "end of connection" with an EOC bucket in the
output bucket brigade. For proxy back end connections there is no such
mechanism.

This commit adds a pre cleanup hook to the connection memory pool of
proxy back end connections, which will try to close the TLS connection
and then deinit the GnuTLS session.

Note that mod_proxy might not close connections immediately, so there is
no guarantee as to when exactly the cleanup will happen. This means that
the TLS session termination might be too late to be meaningful to the
peer, but either way the GnuTLS session structure will be deinitialized
properly. If you need to ensure that connections are closed immediately,
you might want to look at the "proxy-nokeepalive" environment variable
for mod_proxy_http.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    rd7a8286 rb429e4c  
    3939static apr_file_t *debug_log_fp;
    4040#endif
     41
     42#define IS_PROXY_STR(c) \
     43    ((c->is_proxy == GNUTLS_ENABLED_TRUE) ? "proxy " : "")
    4144
    4245static gnutls_datum_t session_ticket_key = {NULL, 0};
     
    684687}
    685688
     689/*
     690 * This function is intended as a cleanup handler for connections
     691 * using GnuTLS.
     692 *
     693 * @param data must point to the mgs_handle_t associated with the
     694 * connection
     695 */
     696static apr_status_t cleanup_gnutls_session(void *data)
     697{
     698    /* nothing to do */
     699    if (data == NULL)
     700        return APR_SUCCESS;
     701
     702    /* check if session needs closing */
     703    mgs_handle_t *ctxt = (mgs_handle_t *) data;
     704    if (ctxt->session != NULL)
     705    {
     706        int ret;
     707        /* Try A Clean Shutdown */
     708        do
     709            ret = gnutls_bye(ctxt->session, GNUTLS_SHUT_WR);
     710        while (ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN);
     711        if (ret != GNUTLS_E_SUCCESS)
     712            ap_log_cerror(APLOG_MARK, APLOG_INFO, ret, ctxt->c,
     713                          "%s: error while closing TLS %sconnection: %s (%d)",
     714                          __func__, IS_PROXY_STR(ctxt),
     715                          gnutls_strerror(ret), ret);
     716        else
     717            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, ret, ctxt->c,
     718                          "%s: TLS %sconnection closed.",
     719                          __func__, IS_PROXY_STR(ctxt));
     720        /* De-Initialize Session */
     721        gnutls_deinit(ctxt->session);
     722        ctxt->session = NULL;
     723    }
     724    return APR_SUCCESS;
     725}
     726
    686727static void create_gnutls_handle(conn_rec * c)
    687728{
     
    727768                          "gnutls_session_ticket_enable_client failed: %s (%d)",
    728769                          gnutls_strerror(err), err);
     770        /* Try to close and deinit the session when the connection
     771         * pool is cleared. Note that mod_proxy might not close
     772         * connections immediately, if you need that, look at the
     773         * "proxy-nokeepalive" environment variable for
     774         * mod_proxy_http. */
     775        apr_pool_pre_cleanup_register(c->pool, ctxt, cleanup_gnutls_session);
    729776    }
    730777    else
Note: See TracChangeset for help on using the changeset viewer.