I'm issuing a request: GET /index.php HTTP/1.1 Host: localhost Upgrade: TLS/1.0 Connection: upgrade And my client crashes because it can't parse the plaintext given back by index.php (which contains <?php for ($i = 0; $i < 10; $i++) echo "foobar"; ?>). In strace it's clearly visible: [pid 16349] recv(8, "\24\3\1\0\1\1\26\3\1\0000f\212W\335\273\16L\352\357\3054\32\204\311\376 \264a4l\3670\17\303e\224\202\370!\361\271\311\320\360\356\210ZN\255w\314 ~\351\377=}\250irfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobar", 2048, 0) = 119 If an OPTION * HTTP/1.1-request is sent before, it correctly switches and processes the next request. You can reproduce it by using tlsupgrade.c: Get http://people.apache.org/~bnicholes/tlsupgrade/tlsupgrade.c Compile it with gcc -lssl -o tlsupgrade tlsupgrade.c Run it using: strace -s 2048 ./tlsupgrade http://localhost/index.php SSLEngine needs to be set to optional for the vhost (on port 80).
Apparantly the APR_BUCKET_IS_EOC is true for some reason, so ssl_filter_io_shutdown is called and the result is not filtered via SSL anymore. Before APR_BUCKET_IS_EOC is true, ssl_filter_write (which is called when APR_BUCKET_IS_EOC is not true) is called two times with NULL as data- pointer. I don't know if this is normal behaviour and i'm not very into debugging apache, but maybe it gives a hint to the developers.
Fixed on trunk: http://svn.apache.org/viewvc?view=rev&revision=592446