From 87a7351c755c9ef8ab386e3090e44838c2a06d48 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Mon, 7 Jul 2025 12:09:30 +0000 Subject: [PATCH] backport 1927037 from trunk remove antiquated 'SSLEngine optional' TLS upgrade Reviewed By: rpluem, jorton, covener git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927045 13f79535-47bb-0310-9956-ffa450edef68 --- modules/ssl/ssl_engine_config.c | 6 ++- modules/ssl/ssl_engine_init.c | 6 +-- modules/ssl/ssl_engine_kernel.c | 86 --------------------------------- modules/ssl/ssl_private.h | 1 - 4 files changed, 7 insertions(+), 92 deletions(-) diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c index b50c259..b5f8bdf 100644 --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -617,7 +617,7 @@ static const char *ssl_hook_http_scheme(const request_rec *r) { SSLSrvConfigRec *sc = mySrvConfig(r->server); - if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { + if (sc->enabled == SSL_ENABLED_FALSE) { return NULL; } @@ -628,7 +628,7 @@ static apr_port_t ssl_hook_default_port(const request_rec *r) { SSLSrvConfigRec *sc = mySrvConfig(r->server); - if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { + if (sc->enabled == SSL_ENABLED_FALSE) { return 0; } diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c index ca5f702..7b3e212 100644 --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c @@ -739,11 +739,13 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) return NULL; } else if (!strcasecmp(arg, "Optional")) { - sc->enabled = SSL_ENABLED_OPTIONAL; + sc->enabled = SSL_ENABLED_FALSE; + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server, APLOGNO(10510) + "'SSLEngine optional' is no longer supported"); return NULL; } - return "Argument must be On, Off, or Optional"; + return "Argument must be On or Off"; } const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index e4f5fc8..ce8cb3a 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -410,7 +410,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, &ssl_module); sc = mySrvConfig(s); - if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) { + if (sc->enabled == SSL_ENABLED_TRUE) { if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) { return rv; } @@ -2016,9 +2016,9 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s, &ssl_module); apr_status_t rv; - /* Initialize the server if SSL is enabled or optional. + /* Initialize the server if SSL is enabled. */ - if ((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) { + if (sc->enabled == SSL_ENABLED_TRUE) { ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914) "Configuring server %s for SSL protocol", sc->vhost_id); if ((rv = ssl_init_server_ctx(s, p, ptemp, sc, pphrases)) diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 40acb04..c13e86c 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -38,59 +38,6 @@ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); #endif -#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols" -#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1" -#define CONNECTION_HEADER "Connection: Upgrade" - -/* Perform an upgrade-to-TLS for the given request, per RFC 2817. */ -static apr_status_t upgrade_connection(request_rec *r) -{ - struct conn_rec *conn = r->connection; - apr_bucket_brigade *bb; - SSLConnRec *sslconn; - apr_status_t rv; - SSL *ssl; - - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02028) - "upgrading connection to TLS"); - - bb = apr_brigade_create(r->pool, conn->bucket_alloc); - - rv = ap_fputs(conn->output_filters, bb, SWITCH_STATUS_LINE CRLF - UPGRADE_HEADER CRLF CONNECTION_HEADER CRLF CRLF); - if (rv == APR_SUCCESS) { - APR_BRIGADE_INSERT_TAIL(bb, - apr_bucket_flush_create(conn->bucket_alloc)); - rv = ap_pass_brigade(conn->output_filters, bb); - } - - if (rv) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02029) - "failed to send 101 interim response for connection " - "upgrade"); - return rv; - } - - ssl_init_ssl_connection(conn, r); - - sslconn = myConnConfig(conn); - ssl = sslconn->ssl; - - /* Perform initial SSL handshake. */ - SSL_set_accept_state(ssl); - SSL_do_handshake(ssl); - - if (!SSL_is_init_finished(ssl)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) - "TLS upgrade handshake failed"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); - - return APR_ECONNABORTED; - } - - return APR_SUCCESS; -} - /* Perform a speculative (and non-blocking) read from the connection * filters for the given request, to determine whether there is any * pending data to read. Return non-zero if there is, else zero. */ @@ -270,40 +217,17 @@ int ssl_hook_ReadReq(request_rec *r) { SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLConnRec *sslconn; - const char *upgrade; #ifdef HAVE_TLSEXT const char *servername; #endif SSL *ssl; - /* Perform TLS upgrade here if "SSLEngine optional" is configured, - * SSL is not already set up for this connection, and the client - * has sent a suitable Upgrade header. */ - if (sc->enabled == SSL_ENABLED_OPTIONAL && !myConnConfig(r->connection) - && (upgrade = apr_table_get(r->headers_in, "Upgrade")) != NULL - && ap_find_token(r->pool, upgrade, "TLS/1.0")) { - if (upgrade_connection(r)) { - return AP_FILTER_ERROR; - } - } - /* If we are on a slave connection, we do not expect to have an SSLConnRec, * but our master connection might. */ sslconn = myConnConfig(r->connection); if (!(sslconn && sslconn->ssl) && r->connection->master) { sslconn = myConnConfig(r->connection->master); } - - /* If "SSLEngine optional" is configured, this is not an SSL - * connection, and this isn't a subrequest, send an Upgrade - * response header. Note this must happen before map_to_storage - * and OPTIONS * request processing is completed. - */ - if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl) - && !r->main) { - apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); - apr_table_mergen(r->headers_out, "Connection", "upgrade"); - } if (!sslconn) { return DECLINED; @@ -1239,16 +1163,6 @@ int ssl_hook_Access(request_rec *r) * Support for SSLRequireSSL directive */ if (dc->bSSLRequired && !ssl) { - if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !r->connection->master) { - /* This vhost was configured for optional SSL, just tell the - * client that we need to upgrade. - */ - apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); - apr_table_setn(r->err_headers_out, "Connection", "Upgrade"); - - return HTTP_UPGRADE_REQUIRED; - } - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219) "access to %s failed, reason: %s", r->filename, "SSL connection required"); @@ -1421,7 +1335,7 @@ int ssl_hook_UserCheck(request_rec *r) * - ssl not enabled * - client did not present a certificate */ - if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) + if (!((sc->enabled == SSL_ENABLED_TRUE) && sslconn && sslconn->ssl && sslconn->client_cert) || !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user) { @@ -1543,7 +1457,7 @@ int ssl_hook_Fixup(request_rec *r) /* * Check to see if SSL is on */ - if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) { + if (!((sc->enabled == SSL_ENABLED_TRUE) && sslconn && (ssl = sslconn->ssl))) { return DECLINED; } diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h index f8a1db7..2f8d4d3 100644 --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h @@ -468,7 +468,6 @@ typedef enum { SSL_ENABLED_UNSET = UNSET, SSL_ENABLED_FALSE = 0, SSL_ENABLED_TRUE = 1, - SSL_ENABLED_OPTIONAL = 3 } ssl_enabled_t; /**