Bug 15057 - ssl_var_lookup_ssl does not handle SSL_get_session returning NULL
Summary: ssl_var_lookup_ssl does not handle SSL_get_session returning NULL
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.0.48
Hardware: PC Linux
: P3 minor (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: PatchAvailable
Depends on:
Reported: 2002-12-04 12:13 UTC by Otmar Lendl
Modified: 2004-11-16 19:05 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Otmar Lendl 2002-12-04 12:13:51 UTC
While working on an Apache 2.0 connection handler to implement EPP within Apache
(see https://sourceforge.net/projects/aepps/) I noticed the following:

If I turn on StdEnvVars httpd will dump core in ssl_var_lookup_ssl as
SSL_get_session returns a NULL pointer. After spending an afternoon with gdb,
etherreal and ssl-telnet I have no clue why connecting with ssl-telnet to 
an SSL/HTTP port gives me a non-NULL session variable whereas using the same
client to connect to my connection-handler returns a NULL value.

I'm using openssl 0.9.6g.

To work around the issue until I eventually find the real cause, I applied
the folllowing patch to my 2.0.43 source-tree:

--- ssl_engine_vars.c   2002/12/04 11:27:14     1.1
+++ ssl_engine_vars.c   2002/12/04 11:27:34
@@ -280,7 +280,8 @@
     else if (ssl != NULL && strcEQ(var, "SESSION_ID")) {
         char buf[SSL_SESSION_ID_STRING_LEN];
         SSL_SESSION *pSession = SSL_get_session(ssl);
-        result = apr_pstrdup(p, SSL_SESSION_id2sz(
+       if (pSession)
+               result = apr_pstrdup(p, SSL_SESSION_id2sz(
                                 buf, sizeof(buf)));

I'm not sure whether this is an issue with mod_ssl, my connection-handler or
openssl. As the patch is simple enough, I would recommend to apply it to
the offcial tree in any case.


Comment 1 Joe Orton 2004-01-12 10:53:17 UTC
Ah, I just found a repro case for SSL_get_session returning NULL: when serving
the "you sent a plain HTTP request over an SSL connection" error message.

Thanks for the patch! It's committed to 2.1 and will be proposed for backport
for 2.0.