From 8395e7a25883abeee685bc58a37dc540bcf233c3 Mon Sep 17 00:00:00 2001 From: Mark Janssen -- Sig-I/O Automatisering Date: Thu, 7 May 2020 17:04:20 +0200 Subject: [PATCH] Apply debian patch: 001_apache_bug_29744_workaround.patch --- README | 5 +++++ cmdline.c | 26 ++++++++++++++++++++++++-- cmdline.h | 2 ++ docs/proxytunnel.1.adoc | 8 ++++++++ http.c | 10 ++++++++++ 5 files changed, 49 insertions(+), 2 deletions(-) diff --git a/README b/README index bdb7fe3..67565f6 100644 --- a/README +++ b/README @@ -33,6 +33,11 @@ Standard options: -e, --encrypt SSL encrypt data between local proxy and destination -E, --encrypt-proxy SSL encrypt data between client and local proxy -X, --encrypt-remproxy SSL encrypt data between local and remote proxy + -W, --wa-bug-29744 workaround ASF Bugzilla 29744, if SSL is active stop + using it after CONNECT (might not work on all setups; + see /usr/share/doc/proxytunnel/README.Debian.gz) + -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards + compatibility -L (legacy) enforce TLSv1 connection -T, --no-ssl3 Do not connect using SSLv3 diff --git a/cmdline.c b/cmdline.c index e1ee9b0..7fa3613 100644 --- a/cmdline.c +++ b/cmdline.c @@ -59,6 +59,11 @@ void cmdline_parser_print_help (void) { " -e, --encrypt SSL encrypt data between local proxy and destination\n" " -E, --encrypt-proxy SSL encrypt data between client and local proxy\n" " -X, --encrypt-remproxy SSL encrypt data between local and remote proxy\n" +" -W, --wa-bug-29744 Workaround ASF Bugzilla 29744: if SSL is active stop\n" +" using it after CONNECT (might not work on all setups; see\n" +" /usr/share/doc/proxytunnel/README.Debian.gz)\n" +" -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards\n" +" compatibility\n" " -L (legacy) enforce TLSv1 connection\n" " -T, --no-ssl3 Do not connect using SSLv3\n" #endif @@ -138,6 +143,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->encrypt_given = 0; args_info->encryptproxy_given = 0; args_info->encryptremproxy_given = 0; + args_info->wa_bug_29744_given = 0; args_info->proctitle_given = 0; args_info->enforcetls1_given = 0; args_info->host_given = 0; @@ -166,6 +172,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar args_info->encrypt_flag = 0; \ args_info->encryptproxy_flag = 0; \ args_info->encryptremproxy_flag = 0; \ + args_info->wa_bug_29744_flag = 0; \ args_info->no_ssl3_flag = 0; \ args_info->proctitle_arg = NULL; \ args_info->enforcetls1_flag = 0; \ @@ -215,15 +222,17 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar { "encrypt", 0, NULL, 'e' }, { "encrypt-proxy", 0, NULL, 'E' }, { "encrypt-remproxy",0,NULL, 'X' }, + { "wa-bug-29744", 0, NULL, 'W' }, + { "buggy-encrypt-proxy", 0, NULL, 'B' }, { "no-ssl3", 0, NULL, 'T' }, { "no-check-certificate",0,NULL,'z' }, { "cacert", 1, NULL, 'C' }, { NULL, 0, NULL, 0 } }; - c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXqLo:TzC:", long_options, &option_index); + c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:", long_options, &option_index); #else - c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXqLo:TzC:" ); + c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:" ); #endif if (c == -1) @@ -247,6 +256,19 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar if( args_info->verbose_flag ) message("SSL client to proxy enabled\n"); break; + + case 'W': /* if SSL is active stop it after CONNECT */ + args_info->wa_bug_29744_flag = !(args_info->wa_bug_29744_flag); + if( args_info->verbose_flag ) + message("If SSL is active stop it after CONNECT\n"); + break; + + case 'B': /* do -E -W */ + args_info->wa_bug_29744_flag = !(args_info->wa_bug_29744_flag); + args_info->encryptproxy_flag = !(args_info->encryptproxy_flag); + if( args_info->verbose_flag ) + message("SSL client to proxy enabled, only until CONNECT\n"); + break; #endif case 'i': /* Run from inetd. */ diff --git a/cmdline.h b/cmdline.h index cd85191..6ce019a 100644 --- a/cmdline.h +++ b/cmdline.h @@ -47,6 +47,7 @@ struct gengetopt_args_info { int encrypt_flag; /* Turn on SSL encryption (default=off). */ int encryptproxy_flag; /* Turn on client to proxy SSL encryption (def=off).*/ int encryptremproxy_flag; /* Turn on local to remote proxy SSL encryption (def=off).*/ + int wa_bug_29744_flag; /* Use SSL encryption only until CONNECT, if at all (def=off).*/ int no_ssl3_flag; /* Turn off SSLv3 (default=on) */ char *proctitle_arg; /* Override process title (default=off). */ int enforcetls1_flag; /* Override default and enforce TLSv1 */ @@ -75,6 +76,7 @@ struct gengetopt_args_info { int encrypt_given; /* Whether encrypt was given */ int encryptproxy_given; /* Whether encrypt was given */ int encryptremproxy_given; /* Whether encrypt was given */ + int wa_bug_29744_given; /* Whether work around was given */ int proctitle_given; /* Whether to override process title */ int enforcetls1_given; /* Wheter to enforce TLSv1 */ int host_given; /* Wheter we override the Host Header */ diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc index 3b7f039..7d136ee 100644 --- a/docs/proxytunnel.1.adoc +++ b/docs/proxytunnel.1.adoc @@ -46,6 +46,14 @@ also be used for other proxy-traversing purposes like proxy bouncing. *-X*, *--encrypt-remproxy*:: SSL encrypt data between local and remote (secondary) proxy +*-W*, *--wa-bug-29744*:: + If SSL is in use (by *-e*, *-E*, *-X* options), stop using it + immediately after the CONNECT exchange to workaround apache server + bugs. (This might not work on all setups; see + /usr/share/doc/proxytunnel/README.Debian.gz for more details.) + +*-B*, *--buggy-encrypt-proxy*:: + Equivalent to *-E -W*. (Provided for backwards compatibility.) == ADDITIONAL OPTIONS diff --git a/http.c b/http.c index 3b85418..f83edb4 100644 --- a/http.c +++ b/http.c @@ -149,6 +149,11 @@ void proxy_protocol(PTSTREAM *pts) { // if( args_info.verbose_flag ) // message( "Data received from local proxy:\n"); + if( args_info.wa_bug_29744_flag && !args_info.encryptremproxy_flag && pts->ssl ) { + message( "Switching to non-SSL communication (local proxy)\n"); + pts->ssl = 0; + } + /* Read the first line of the response and analyze it */ analyze_HTTP(pts); @@ -191,6 +196,11 @@ void proxy_protocol(PTSTREAM *pts) { // if( args_info.verbose_flag ) // message( "Received from remote proxy:\n"); + if( args_info.wa_bug_29744_flag && pts->ssl ) { + message( "Switching to non-SSL communication (remote proxy)\n"); + pts->ssl = 0; + } + /* Read the first line of the response and analyze it */ analyze_HTTP(pts); }