mod_proxy/ssl: Proxy SSL client certificate

rainerjung · rainerjung · commit efc0a47d28d5 · 2019-05-16T12:52:29.000Z
configuration and other proxy SSL configurations broken inside <Proxy> context. PR 63430 Triggered by r1855646+r1855748. Patch from rpluem (proxy) and ylavic (ssl). git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1859371 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/CHANGES b/CHANGES
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_proxy/ssl: Proxy SSL client certificate configuration and other proxy
+     SSL configurations broken inside <Proxy> context.  PR 63430.
+     [Ruediger Pluem, Yann Ylavic]
+
   *) mod_reqtimeout: Fix default rates missing (not applied) in 2.4.39.
      PR 63325. [Yann Ylavic]
 
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
@@ -2107,13 +2107,10 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
         }
 
         /* Step Three: Create conn_rec */
+        if ((status = ap_proxy_connection_create_ex(proxy_function,
+                                                    backend, r)) != OK)
+            break;
         req->origin = backend->connection;
-        if (!req->origin) {
-            if ((status = ap_proxy_connection_create_ex(proxy_function,
-                                                        backend, r)) != OK)
-                break;
-            req->origin = backend->connection;
-        }
 
         /* Don't recycle the connection if prefetch (above) told not to do so */
         if (toclose) {
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
@@ -492,10 +492,20 @@ static SSLConnRec *ssl_init_connection_ctx(conn_rec *c,
     SSLConnRec *sslconn = myConnConfig(c);
     int need_setup = 0;
 
+    /* mod_proxy's (r->)per_dir_config has the lifetime of the request, thus
+     * it uses ssl_engine_set() to reset sslconn->dc when reusing SSL backend
+     * connections, so we must fall through here. But in the case where we are
+     * called from ssl_init_ssl_connection() with no per_dir_config (which also
+     * includes mod_proxy's later run_pre_connection call), sslconn->dc should
+     * be preserved if it's already set.
+     */
     if (!sslconn) {
         sslconn = apr_pcalloc(c->pool, sizeof(*sslconn));
         need_setup = 1;
     }
+    else if (!new_proxy) {
+        return sslconn;
+    }
 
     /* Reinit dc in any case because it may be r->per_dir_config scoped
      * and thus a caller like mod_proxy needs to update it per request.
