From 87a401af05d4df5ecdbec653557d24e991f9a3ec Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Thu, 27 Nov 2014 08:36:32 -0800 Subject: [PATCH] Fix remote resources download while hosting SSL site on Apache As reported by Christian Folin and Walter Hop on our dev mailing list, Apache mod_ssl was failing if a remote resource was utilized. That was happening because Curl clean up was also cleaning up the OpenSSL data used by mod_ssl. This patch moves Curl initialization to happens while ModSecurity is initialized. --- CHANGES | 5 +++++ apache2/modsecurity.c | 14 ++++++++++++++ apache2/msc_remote_rules.c | 2 -- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index d0ee408f..0fc9f546 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ DD mmm YYYY - 2.9.????? (To be released) ----------------------- + * Remote resources loading process is now failing in case of HTTP error. + [Walter Hop and ModSecurity team] + * Fixed start up crash on Apache with mod_ssl configured. Crash was happening + during the download of remote resources. + [Christian Folini, Walter Hop and ModSecurity team] * Curl is not a mandatory dependency to ModSecurity core anymore. [Rainer Jung and ModSecurity team] diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c index 8233a14d..da89faa7 100644 --- a/apache2/modsecurity.c +++ b/apache2/modsecurity.c @@ -23,6 +23,10 @@ #include "msc_xml.h" #include "apr_version.h" +#ifdef WITH_CURL +#include +#endif + unsigned long int DSOLOCAL unicode_codepage = 0; int DSOLOCAL *unicode_map_table = NULL; @@ -118,6 +122,16 @@ msc_engine *modsecurity_create(apr_pool_t *mp, int processing_mode) { int modsecurity_init(msc_engine *msce, apr_pool_t *mp) { apr_status_t rc; + /** + * Notice that curl is initialized here but never cleaned up. First version + * of this implementation curl was initialized and cleaned for every + * utilization. Turns out that it was not only cleaning stuff that was + * utilized by Curl but also other OpenSSL stuff that was utilized by + * mod_ssl leading the SSL support to crash. + */ +#ifdef WITH_CURL + curl_global_init(CURL_GLOBAL_ALL); +#endif /* Serial audit log mutext */ rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_DEFAULT, mp); if (rc != APR_SUCCESS) { diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c index 8a943150..43492c72 100644 --- a/apache2/msc_remote_rules.c +++ b/apache2/msc_remote_rules.c @@ -258,7 +258,6 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key apr_id = apr_psprintf(mp, "ModSec-unique-id: %s", id); - curl_global_init(CURL_GLOBAL_ALL); curl = curl_easy_init(); beacon_str_len = msc_beacon_string(NULL, 0); @@ -348,7 +347,6 @@ int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key curl_easy_cleanup(curl); - curl_global_cleanup(); return 0; #else return -3;