* Post Read Request Handler */
| 130 | * Post Read Request Handler |
| 131 | */ |
| 132 | int ssl_hook_ReadReq(request_rec *r) |
| 133 | { |
| 134 | SSLSrvConfigRec *sc = mySrvConfig(r->server); |
| 135 | SSLConnRec *sslconn; |
| 136 | #ifdef HAVE_TLSEXT |
| 137 | const char *servername; |
| 138 | #endif |
| 139 | SSL *ssl; |
| 140 | |
| 141 | /* If we are on a slave connection, we do not expect to have an SSLConnRec, |
| 142 | * but our master connection might. */ |
| 143 | sslconn = myConnConfig(r->connection); |
| 144 | if (!(sslconn && sslconn->ssl) && r->connection->master) { |
| 145 | sslconn = myConnConfig(r->connection->master); |
| 146 | } |
| 147 | |
| 148 | if (!sslconn) { |
| 149 | return DECLINED; |
| 150 | } |
| 151 | |
| 152 | if (sslconn->service_unavailable) { |
| 153 | /* This is set when the SSL properties of this connection are |
| 154 | * incomplete or if this connection was made to challenge a |
| 155 | * particular hostname (ACME). We never serve any request on |
| 156 | * such a connection. */ |
| 157 | /* TODO: a retry-after indicator would be nice here */ |
| 158 | return HTTP_SERVICE_UNAVAILABLE; |
| 159 | } |
| 160 | |
| 161 | if (sslconn->non_ssl_request == NON_SSL_SET_ERROR_MSG) { |
| 162 | apr_table_setn(r->notes, "error-notes", |
| 163 | "Reason: You're speaking plain HTTP to an SSL-enabled " |
| 164 | "server port.<br />\n Instead use the HTTPS scheme to " |
| 165 | "access this URL, please.<br />\n"); |
| 166 | |
| 167 | /* Now that we have caught this error, forget it. we are done |
| 168 | * with using SSL on this request. |
| 169 | */ |
| 170 | sslconn->non_ssl_request = NON_SSL_OK; |
| 171 | |
| 172 | return HTTP_BAD_REQUEST; |
| 173 | } |
| 174 | |
| 175 | /* |
| 176 | * Get the SSL connection structure and perform the |
| 177 | * delayed interlinking from SSL back to request_rec |
| 178 | */ |
| 179 | ssl = sslconn->ssl; |
| 180 | if (!ssl) { |
| 181 | return DECLINED; |
| 182 | } |
| 183 | #ifdef HAVE_TLSEXT |
| 184 | /* |
| 185 | * Perform SNI checks only on the initial request. In particular, |
| 186 | * if these checks detect a problem, the checks shouldn't return an |
| 187 | * error again when processing an ErrorDocument redirect for the |
| 188 | * original problem. |
| 189 | */ |
nothing calls this directly
no test coverage detected