reverting last change

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1852037 13f79535-47bb-0310-9956-ffa450edef68
author: Stefan Eissing <icing@apache.org> 2019-01-24 16:21:04 +0100
committer: Stefan Eissing <icing@apache.org> 2019-01-24 16:21:04 +0100
commit: 4af9b5c0716af4b42961ee547a0e1dbeb0c04d09 (patch)
tree: 1c988671452c9fb84169f3ad9734f17e0a6e6ae9 /modules
parent: mod_http2: enable re-use of slave connections again. (diff)
download: apache2-4af9b5c0716af4b42961ee547a0e1dbeb0c04d09.tar.xz
apache2-4af9b5c0716af4b42961ee547a0e1dbeb0c04d09.zip
4 files changed, 35 insertions, 64 deletions
diff --git a/modules/http2/h2_conn.c b/modules/http2/h2_conn.c
index 16b82282cc..827217d903 100644
--- a/modules/http2/h2_conn.c
+++ b/modules/http2/h2_conn.c
@@ -370,16 +370,17 @@ apr_status_t h2_slave_run_pre_connection(conn_rec *slave, apr_socket_t *csd)
          * (Not necessarily in pre_connection, but later. Set it here, so it
          * is in place.) */
         slave->keepalives = 1;
+        /* We signal that this connection will be closed after the request.
+         * Which is true in that sense that we throw away all traffic data
+         * on this slave connection after each requests. Although we might
+         * reuse internal structures like memory pools.
+         * The wanted effect of this is that httpd does not try to clean up
+         * any dangling data on this connection when a request is done. Which
+         * is unneccessary on a h2 stream.
+         */
+        slave->keepalive = AP_CONN_CLOSE;
+        return ap_run_pre_connection(slave, csd);
     }
-    /* We signal that this connection will be closed after the request.
-     * Which is true in that sense that we throw away all traffic data
-     * on this slave connection after each requests. Although we might
-     * reuse internal structures like memory pools.
-     * The wanted effect of this is that httpd does not try to clean up
-     * any dangling data on this connection when a request is done. Which
-     * is unneccessary on a h2 stream.
-     */
-    slave->keepalive = AP_CONN_CLOSE;
-    return ap_run_pre_connection(slave, csd);
+    return APR_SUCCESS;
 }
 
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
index 0e764f67f0..15ca108cd5 100644
--- a/modules/http2/h2_mplx.c
+++ b/modules/http2/h2_mplx.c
@@ -327,8 +327,7 @@ static int stream_destroy_iter(void *ctx, void *val)
                                && !task->rst_error);
             }
             
-            task->c = NULL;
-            if (reuse_slave) {
+            if (reuse_slave && slave->keepalive == AP_CONN_KEEPALIVE) {
                 h2_beam_log(task->output.beam, m->c, APLOG_DEBUG, 
                             APLOGNO(03385) "h2_task_destroy, reuse slave");    
                 h2_task_destroy(task);
diff --git a/modules/http2/h2_task.c b/modules/http2/h2_task.c
index f7aa0bdcc4..690250f1f0 100644
--- a/modules/http2/h2_task.c
+++ b/modules/http2/h2_task.c
@@ -545,6 +545,7 @@ h2_task *h2_task_create(conn_rec *slave, int stream_id,
 void h2_task_destroy(h2_task *task)
 {
     if (task->output.beam) {
+        h2_beam_log(task->output.beam, task->c, APLOG_TRACE2, "task_destroy");
         h2_beam_destroy(task->output.beam);
         task->output.beam = NULL;
     }
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 49c46d7e3c..1570d8da64 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2308,37 +2308,6 @@ void ssl_callback_Info(const SSL *ssl, int where, int rc)
 }
 
 #ifdef HAVE_TLSEXT
-
-static apr_status_t set_challenge_creds(conn_rec *c, const char *servername,
-                                        SSL *ssl, X509 *cert, EVP_PKEY *key)
-{
-    SSLConnRec *sslcon = myConnConfig(c);
-    
-    sslcon->service_unavailable = 1;
-    if ((SSL_use_certificate(ssl, cert) < 1)) {
-        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086)
-                      "Failed to configure challenge certificate %s",
-                      servername);
-        return APR_EGENERAL;
-    }
-    
-    if (!SSL_use_PrivateKey(ssl, key)) {
-        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10087)
-                      "error '%s' using Challenge key: %s",
-                      ERR_error_string(ERR_peek_last_error(), NULL), 
-                      servername);
-        return APR_EGENERAL;
-    }
-    
-    if (SSL_check_private_key(ssl) < 1) {
-        ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088)
-                      "Challenge certificate and private key %s "
-                      "do not match", servername);
-        return APR_EGENERAL;
-    }
-    return APR_SUCCESS;
-}
-  
 /*
  * This function sets the virtual host from an extended
  * client hello with a server name indication extension ("SNI", cf. RFC 6066).
@@ -2368,12 +2337,30 @@ static apr_status_t init_vhost(conn_rec *c, SSL *ssl)
                 return APR_SUCCESS;
             }
             else if (ssl_is_challenge(c, servername, &cert, &key)) {
-                /* With ACMEv1 we can have challenge connections to a unknown domains
-                 * that need to be answered with a special certificate and will
-                 * otherwise not answer any requests. */
-                if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
+            
+                sslcon->service_unavailable = 1;
+                if ((SSL_use_certificate(ssl, cert) < 1)) {
+                    ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10086)
+                                  "Failed to configure challenge certificate %s",
+                                  servername);
                     return APR_EGENERAL;
                 }
+                
+                if (!SSL_use_PrivateKey(ssl, key)) {
+                    ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10087)
+                                  "error '%s' using Challenge key: %s",
+                                  ERR_error_string(ERR_peek_last_error(), NULL), 
+                                  servername);
+                    return APR_EGENERAL;
+                }
+                
+                if (SSL_check_private_key(ssl) < 1) {
+                    ap_log_cerror(APLOG_MARK, APLOG_WARNING, 0, c, APLOGNO(10088)
+                                  "Challenge certificate and private key %s "
+                                  "do not match", servername);
+                    return APR_EGENERAL;
+                }
+                
             }
             else {
                 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02044)
@@ -2666,23 +2653,6 @@ int ssl_callback_alpn_select(SSL *ssl,
                           proposed);
             return SSL_TLSEXT_ERR_ALERT_FATAL;
         }
-        
-        /* protocol was switched, this could be a challenge protocol such as "acme-tls/1".
-         * For that to work, we need to allow overrides to our ssl certificate. 
-         * However, exclude challenge checks on our best known traffic protocol.
-         * (http/1.1 is the default, we never switch to it anyway.)
-         */
-        if (strcmp("h2", proposed)) {
-            const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-            X509 *cert;
-            EVP_PKEY *key;
-            
-            if (ssl_is_challenge(c, servername, &cert, &key)) {
-                if (set_challenge_creds(c, servername, ssl, cert, key) != APR_SUCCESS) {
-                    return SSL_TLSEXT_ERR_ALERT_FATAL;
-                }
-            }
-        }
     }
 
     return SSL_TLSEXT_ERR_OK;
author	Stefan Eissing <icing@apache.org>	2019-01-24 16:21:04 +0100
committer	Stefan Eissing <icing@apache.org>	2019-01-24 16:21:04 +0100
commit	4af9b5c0716af4b42961ee547a0e1dbeb0c04d09 (patch)
tree	1c988671452c9fb84169f3ad9734f17e0a6e6ae9 /modules
parent	mod_http2: enable re-use of slave connections again. (diff)
download	apache2-4af9b5c0716af4b42961ee547a0e1dbeb0c04d09.tar.xz apache2-4af9b5c0716af4b42961ee547a0e1dbeb0c04d09.zip