Changeset e8acf05 in mod_gnutls for src/mod_gnutls.c


Ignore:
Timestamp:
Jan 20, 2015, 10:45:39 AM (5 years ago)
Author:
Thomas Klute <thomas2.klute@…>
Branches:
debian/master, debian/stretch-backports, jessie-backports, master, proxy-ticket, upstream
Children:
c782c1f
Parents:
e4b58b6
git-author:
Thomas Klute <thomas2.klute@…> (01/20/15 10:30:36)
git-committer:
Thomas Klute <thomas2.klute@…> (01/20/15 10:45:39)
Message:

Enable/disable TLS per connection in ssl_engine_disable

Previously, ssl_engine_disable set the server wide variable sc->enabled
to GNUTLS_ENABLED_FALSE, leading to mod_gnutls refusing to serve any
connection, including incoming client connections. The general HTTP
handler cannot process raw TLS traffic, so all further requests using
TLS failed.

This commit adds a new element "enabled" to struct mgs_handle_t, which
is used to disable TLS per connection, making it possible to disable TLS
for proxy back end connections while continuing to serve TLS clients.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • src/mod_gnutls.c

    re4b58b6 re8acf05  
    2020#include "mod_gnutls.h"
    2121
    22 static void gnutls_hooks(apr_pool_t * p __attribute__((unused))) {
    23 
     22#ifdef APLOG_USE_MODULE
     23APLOG_USE_MODULE(gnutls);
     24#endif
     25
     26static void gnutls_hooks(apr_pool_t * p __attribute__((unused)))
     27{
    2428    /* Try Run Post-Config Hook After mod_proxy */
    2529    static const char * const aszPre[] = { "mod_proxy.c", NULL };
     
    7579}
    7680
    77 int ssl_engine_disable(conn_rec *c) {
     81int ssl_engine_disable(conn_rec *c)
     82{
    7883    mgs_srvconf_rec *sc = (mgs_srvconf_rec *)
    79             ap_get_module_config(c->base_server->module_config, &gnutls_module);
     84        ap_get_module_config(c->base_server->module_config, &gnutls_module);
    8085    if(sc->enabled == GNUTLS_ENABLED_FALSE) {
    8186        return 1;
    8287    }
     88
     89    /* disable TLS for this connection */
     90    mgs_handle_t *ctxt = (mgs_handle_t *) ap_get_module_config(c->conn_config, &gnutls_module);
     91    if (ctxt == NULL)
     92    {
     93        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, "%s: allocating connection memory", __func__);
     94        ctxt = apr_pcalloc(c->pool, sizeof (*ctxt));
     95        ap_set_module_config(c->conn_config, &gnutls_module, ctxt);
     96    }
     97    ctxt->enabled = GNUTLS_ENABLED_FALSE;
     98
    8399    if (c->input_filters)
    84100        ap_remove_input_filter(c->input_filters);
     
    86102        ap_remove_output_filter(c->output_filters);
    87103    mgs_cleanup_pre_config(c->pool);
    88     sc->enabled = GNUTLS_ENABLED_FALSE;
    89104    return 1;
    90105}
Note: See TracChangeset for help on using the changeset viewer.