Apply debian patch: 001_apache_bug_29744_workaround.patch

proxytunnel · May 7, 2020 · 8395e7a · 8395e7a
1 parent cb336ca
commit 8395e7a
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 2 deletions.
diff --git a/README b/README
@@ -33,6 +33,11 @@ Standard options:
  -e, --encrypt             SSL encrypt data between local proxy and destination
  -E, --encrypt-proxy       SSL encrypt data between client and local proxy
  -X, --encrypt-remproxy    SSL encrypt data between local and remote proxy
+ -W, --wa-bug-29744        workaround ASF Bugzilla 29744, if SSL is active stop
+                           using it after CONNECT (might not work on all setups;
+                           see /usr/share/doc/proxytunnel/README.Debian.gz)
+ -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards
+                           compatibility
  -L                        (legacy) enforce TLSv1 connection
  -T, --no-ssl3             Do not connect using SSLv3
 

diff --git a/cmdline.c b/cmdline.c
@@ -59,6 +59,11 @@ void cmdline_parser_print_help (void) {
 " -e, --encrypt             SSL encrypt data between local proxy and destination\n"
 " -E, --encrypt-proxy       SSL encrypt data between client and local proxy\n"
 " -X, --encrypt-remproxy    SSL encrypt data between local and remote proxy\n"
+" -W, --wa-bug-29744        Workaround ASF Bugzilla 29744: if SSL is active stop\n"
+"                           using it after CONNECT (might not work on all setups; see\n"
+"                           /usr/share/doc/proxytunnel/README.Debian.gz)\n"
+" -B, --buggy-encrypt-proxy Equivalent to -E -W, provided for backwards\n"
+"                           compatibility\n"
 " -L                        (legacy) enforce TLSv1 connection\n"
 " -T, --no-ssl3             Do not connect using SSLv3\n"
 #endif
@@ -138,6 +143,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 	args_info->encrypt_given = 0;
 	args_info->encryptproxy_given = 0;
 	args_info->encryptremproxy_given = 0;
+	args_info->wa_bug_29744_given = 0;
 	args_info->proctitle_given = 0;
 	args_info->enforcetls1_given = 0;
 	args_info->host_given = 0;
@@ -166,6 +172,7 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 	args_info->encrypt_flag = 0; \
 	args_info->encryptproxy_flag = 0; \
 	args_info->encryptremproxy_flag = 0; \
+	args_info->wa_bug_29744_flag = 0; \
 	args_info->no_ssl3_flag = 0; \
 	args_info->proctitle_arg = NULL; \
 	args_info->enforcetls1_flag = 0; \
@@ -215,15 +222,17 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 			{ "encrypt",		0, NULL, 'e' },
 			{ "encrypt-proxy",	0, NULL, 'E' },
 			{ "encrypt-remproxy",0,NULL, 'X' },
+			{ "wa-bug-29744",	0, NULL, 'W' },
+			{ "buggy-encrypt-proxy",	0, NULL, 'B' },
 			{ "no-ssl3",		0, NULL, 'T' },
 			{ "no-check-certificate",0,NULL,'z' },
 			{ "cacert",         1, NULL, 'C' },
 			{ NULL,				0, NULL, 0 }
 		};
 
-		c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXqLo:TzC:", long_options, &option_index);
+		c = getopt_long (argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:", long_options, &option_index);
 #else
-		c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXqLo:TzC:" );
+		c = getopt( argc, argv, "hVia:u:s:t:F:p:P:r:R:d:H:x:nvNeEXWBqLo:TzC:" );
 #endif
 
 		if (c == -1)
@@ -247,6 +256,19 @@ int cmdline_parser( int argc, char * const *argv, struct gengetopt_args_info *ar
 				if( args_info->verbose_flag )
 					message("SSL client to proxy enabled\n");
 				break;
+
+			case 'W':	/* if SSL is active stop it after CONNECT */
+				args_info->wa_bug_29744_flag = !(args_info->wa_bug_29744_flag);
+				if( args_info->verbose_flag )
+					message("If SSL is active stop it after CONNECT\n");
+				break;
+
+			case 'B':	/* do -E -W */
+				args_info->wa_bug_29744_flag = !(args_info->wa_bug_29744_flag);
+				args_info->encryptproxy_flag = !(args_info->encryptproxy_flag);
+				if( args_info->verbose_flag )
+					message("SSL client to proxy enabled, only until CONNECT\n");
+				break;
 #endif
 
 			case 'i':	/* Run from inetd. */

diff --git a/cmdline.h b/cmdline.h
@@ -47,6 +47,7 @@ struct gengetopt_args_info {
 	int encrypt_flag;		/* Turn on SSL encryption (default=off). */
 	int encryptproxy_flag;	/* Turn on client to proxy SSL encryption (def=off).*/
 	int encryptremproxy_flag;  /* Turn on local to remote proxy SSL encryption (def=off).*/
+	int wa_bug_29744_flag;	/* Use SSL encryption only until CONNECT, if at all (def=off).*/
 	int no_ssl3_flag;		/* Turn off SSLv3 (default=on) */
 	char *proctitle_arg;	/* Override process title (default=off). */
 	int enforcetls1_flag;    /* Override default and enforce TLSv1 */
@@ -75,6 +76,7 @@ struct gengetopt_args_info {
 	int encrypt_given;		/* Whether encrypt was given */
 	int encryptproxy_given;	/* Whether encrypt was given */
 	int encryptremproxy_given;   /* Whether encrypt was given */
+	int wa_bug_29744_given;	/* Whether work around was given */
 	int proctitle_given;	/* Whether to override process title */
 	int enforcetls1_given;   /* Wheter to enforce TLSv1 */
 	int host_given;         /* Wheter we override the Host Header */

diff --git a/docs/proxytunnel.1.adoc b/docs/proxytunnel.1.adoc
@@ -46,6 +46,14 @@ also be used for other proxy-traversing purposes like proxy bouncing.
 *-X*, *--encrypt-remproxy*::
     SSL encrypt data between local and remote (secondary) proxy
 
+*-W*, *--wa-bug-29744*::
+    If SSL is in use (by *-e*, *-E*, *-X* options), stop using it
+    immediately after the CONNECT exchange to workaround apache server
+    bugs.  (This might not work on all setups; see
+    /usr/share/doc/proxytunnel/README.Debian.gz for more details.)
+
+*-B*, *--buggy-encrypt-proxy*::
+    Equivalent to *-E -W*.  (Provided for backwards compatibility.)
 
 == ADDITIONAL OPTIONS
 

diff --git a/http.c b/http.c
@@ -149,6 +149,11 @@ void proxy_protocol(PTSTREAM *pts) {
 //	if( args_info.verbose_flag )
 //		message( "Data received from local proxy:\n");
 
+	if( args_info.wa_bug_29744_flag && !args_info.encryptremproxy_flag && pts->ssl ) {
+		message( "Switching to non-SSL communication (local proxy)\n");
+		pts->ssl = 0;
+	}
+
 	/* Read the first line of the response and analyze it */
 	analyze_HTTP(pts);
 
@@ -191,6 +196,11 @@ void proxy_protocol(PTSTREAM *pts) {
 //		if( args_info.verbose_flag )
 //			message( "Received from remote proxy:\n");
 
+		if( args_info.wa_bug_29744_flag && pts->ssl ) {
+			message( "Switching to non-SSL communication (remote proxy)\n");
+			pts->ssl = 0;
+		}
+
 		/* Read the first line of the response and analyze it */
 		analyze_HTTP(pts);
 	}