Fix false negatives on plain-HTTP-not-SSL error (Steve Henson). Fix streaming of nph- CGI scripts over SSL. --- httpd-2.0.48/modules/ssl/ssl_engine_io.c.sslio +++ httpd-2.0.48/modules/ssl/ssl_engine_io.c @@ -1091,7 +1091,8 @@ outctx->rc = APR_EAGAIN; return SSL_ERROR_WANT_READ; } - else if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) { + else if (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_SSL && + ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST) { /* * The case where OpenSSL has recognized a HTTP request: * This means the client speaks plain HTTP on our HTTPS port. @@ -1281,6 +1282,8 @@ apr_status_t status = APR_SUCCESS; ssl_filter_ctx_t *filter_ctx = f->ctx; bio_filter_in_ctx_t *inctx; + bio_filter_out_ctx_t *outctx; + apr_read_type_e rblock = APR_NONBLOCK_READ; if (f->c->aborted) { apr_brigade_cleanup(bb); @@ -1293,6 +1296,8 @@ } inctx = (bio_filter_in_ctx_t *)filter_ctx->pbioRead->ptr; + outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr; + /* When we are the writer, we must initialize the inctx * mode so that we block for any required ssl input, because * output filtering is always nonblocking. @@ -1312,8 +1317,6 @@ */ if (APR_BUCKET_IS_EOS(bucket) || APR_BUCKET_IS_FLUSH(bucket)) { if (bio_filter_out_flush(filter_ctx->pbioWrite) < 0) { - bio_filter_out_ctx_t *outctx = - (bio_filter_out_ctx_t *)(filter_ctx->pbioWrite->ptr); status = outctx->rc; break; } @@ -1343,7 +1346,18 @@ const char *data; apr_size_t len; - status = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ); + status = apr_bucket_read(bucket, &data, &len, rblock); + + if (APR_STATUS_IS_EAGAIN(status)) { + /* No data available: flush... */ + if (bio_filter_out_flush(filter_ctx->pbioWrite) < 0) { + status = outctx->rc; + break; + } + rblock = APR_BLOCK_READ; + continue; /* and try again with a blocking read. */ + } + rblock = APR_NONBLOCK_READ; if (!APR_STATUS_IS_EOF(status) && (status != APR_SUCCESS)) { break;