Bug 15057

Summary: ssl_var_lookup_ssl does not handle SSL_get_session returning NULL
Product: Apache httpd-2 Reporter: Otmar Lendl <lendl>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: CLOSED FIXED    
Severity: minor Keywords: PatchAvailable
Priority: P3    
Version: 2.0.48   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Otmar Lendl 2002-12-04 12:13:51 UTC
While working on an Apache 2.0 connection handler to implement EPP within Apache
(see https://sourceforge.net/projects/aepps/) I noticed the following:

If I turn on StdEnvVars httpd will dump core in ssl_var_lookup_ssl as
SSL_get_session returns a NULL pointer. After spending an afternoon with gdb,
etherreal and ssl-telnet I have no clue why connecting with ssl-telnet to 
an SSL/HTTP port gives me a non-NULL session variable whereas using the same
client to connect to my connection-handler returns a NULL value.

I'm using openssl 0.9.6g.

To work around the issue until I eventually find the real cause, I applied
the folllowing patch to my 2.0.43 source-tree:

--- ssl_engine_vars.c   2002/12/04 11:27:14     1.1
+++ ssl_engine_vars.c   2002/12/04 11:27:34
@@ -280,7 +280,8 @@
     else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
         char buf[SSL_SESSION_ID_STRING_LEN];
         SSL_SESSION *pSession = SSL_get_session(ssl);
-        result = apr_pstrdup(p, SSL_SESSION_id2sz(
+       if (pSession)
+               result = apr_pstrdup(p, SSL_SESSION_id2sz(
                                 buf, sizeof(buf)));

I'm not sure whether this is an issue with mod_ssl, my connection-handler or
openssl. As the patch is simple enough, I would recommend to apply it to
the offcial tree in any case.


Comment 1 Joe Orton 2004-01-12 10:53:17 UTC
Ah, I just found a repro case for SSL_get_session returning NULL: when serving
the "you sent a plain HTTP request over an SSL connection" error message.

Thanks for the patch! It's committed to 2.1 and will be proposed for backport
for 2.0.