The core output filter used to determine first if it needed to block before
trying to send its data (including set aside ones), and if so it did call
send_brigade_blocking().
This can be avoided by making send_brigade_nonblocking() send as much data as
possible (nonblocking), and only if data remain check whether they should be
flushed (blocking), according to the same ap_filter_reinstate_brigade()
heuristics but afterward.
This allows both to simplify the code (axe send_brigade_blocking and some
duplicated logic) and optimize sends since send_brigade_nonblocking() is now
given all the buckets so it can make use of scatter/gather (iovec) or NOPUSH
option with the whole picture.
When sendfile is available and/or with fine tuning of FlushMaxThreshold (and
ReadBufferSize) from r1836032, one can now take advantage of modern network
speeds and bandwidth.
This commit also adds some APLOG_TRACE6 messages for outputed bytes (including
at mod_ssl level since splitting happens there when it's active).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1836237 13f79535-47bb-0310-9956-ffa450edef68
LibreSSL defines OPENSSL_VERSION_NUMBER = 2.0, but is not compatible with
all of the latest OpenSSL 1.1 API.
Address this by defining MODSSL_USE_OPENSSL_PRE_1_1_API which is true for
anything but OpenSSL >= 1.1 (for now).
Proposed by: Bernard Spil <brnrd freebsd.org>
Reviewed by: ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1803396 13f79535-47bb-0310-9956-ffa450edef68
If other modules or libraries do not clear the OpenSSL error queue after
a failed operation, other code that relies on SSL_get_error() -- in
particular, code that deals with SSL_ERROR_WANT_READ/WRITE logic -- will
malfunction later on. To prevent this, explicitly clear the error queue
before calls like SSL_read/write/accept().
PR: 60223
Submitted by: Paul Spangler <paul.spangler ni.com>
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1769332 13f79535-47bb-0310-9956-ffa450edef68
such that disabling either disables both, and that enabling either will
trigger the more comprehensive SSLProxyCheckPeerName behavior.
Only a single configuration remains to enable the legacy behavior, which
is to explicitly disable SSLProxyCheckPeerName and enable SSLProxyCheckPeerCN.
Changes to the proxy config directives leads us to a different 2.4 fix...
https://github.com/wrowe/patches/blob/master/fix_proxy_check_peer-2.4.x.patch
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1746647 13f79535-47bb-0310-9956-ffa450edef68
Coalesce when (subsequent brigade's) data bucket is not last (likely followed
by FLUSH or EOS) but we have buffered data already.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1723143 13f79535-47bb-0310-9956-ffa450edef68
Fix "HTTP spoken on HTTPS port" broken by the SSL handshake trigger moved to
process_connection hook (r1709602) along with H2Direct speculative read.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1715023 13f79535-47bb-0310-9956-ffa450edef68
Flush SSL/TLS handshake data when writing (instead of before reading),
and only when necessary (openssl < 0.9.8m or proxy/client side).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1707230 13f79535-47bb-0310-9956-ffa450edef68
This defeats deferred write (and pipelining), eg. check_pipeline() is not
expecting the pipe to be flushed under it.
So let OpenSSL >= 0.9.8m issue the flush when necessary (earlier versions
are known to not handle all the cases, so we keep flushing with those).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1705823 13f79535-47bb-0310-9956-ffa450edef68
Such readers are prepared to receive empty data anyway (and take appropriate
action), while e.g. check_pipeline() is not expecting the pipe to be flushed
under it.
Reverted by: r1705820
Replaced by: r1705823
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1705236 13f79535-47bb-0310-9956-ffa450edef68
* modules/ssl/mod_ssl.c, modules/ssl/mod_ssl.h: drop
modssl_register_npn optional function and related declarations.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks):
no longer set NPN advertisement callback.
* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): remove
NPN handling.
* modules/ssl/ssl_engine_kernel.c (ssl_callback_AdvertiseNextProtos):
remove callback.
* modules/ssl/ssl_private.h: remove NPN prototypes, set
HAVE_TLS_ALPN (OpenSSL 1.0.2 and later) with feature-based detection.
Rename SSLAlpnPreference to SSLALPNPreference, and add documentation.
Previous commits related to NPN and ALPN, for reference purposes:
r1332643 - Add support for TLS Next Protocol Negotiation
r1487772 - mod_ssl: Redesign NPN (Next Protocol Negotiation) API
to avoid use of hooks API and inter-module hard linkage
r1670397 - ALPN support, based on mod_spdy/mod_h2 patch set
r1670434 - More ALPN goodness
(plus some minor tweaks: r1670578, r1670440, r1670578,
r1670738, r1675459, and r1675549)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1676004 13f79535-47bb-0310-9956-ffa450edef68
More uses of ap_map_http_request_error() and AP_FILTER_ERROR so that we never
return an HTTP error status from a handler if some filter generated a response
already.
That is, from a handler, either ap_get_brigade() (an input filter) returned
AP_FILTER_ERROR and we must forward it to ap_die(), or ap_pass_brigade() (an
output filter) failed with any status and we must return AP_FILTER_ERROR in
any case for ap_die() to determine whether a response is needed or not.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1665625 13f79535-47bb-0310-9956-ffa450edef68
return an error code understood by ssl_io_filter_error().
That function needs to perform error handling, and a valid
apr_status_t needs to be returned up.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1645529 13f79535-47bb-0310-9956-ffa450edef68
SSLSessionCache are used and SSL session is resumed. SSL_CLIENT_VERIFY value
has been set to SUCCESS on resumption even when originally it was set to
GENEROUS. PR 53193.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1633085 13f79535-47bb-0310-9956-ffa450edef68
