| Subject: | SSL Proxied via HTTP "CONNECT" fails - fixed |
When HTTPS_PROXY is set, an attempt to connect to an SSL server via
Apache fails unpredictably. The problem is timing or load related.
Cause:
The proxy_connect_helper function assumes that the HTTP 200 reply and
the remainder of the reply headers will arrive in a single packet - but
this may not be the case if system or network load is high. In this
case, only the first line of the headers are removed from the input
stream, leaving the remaining lines in the stream. These "left over"
lines are not a good SSL formatted data stream - so the connection later
fails.
Solution:
change the code in SSL.pm to ensure that the complete HTTP response
header is consumed, using something like..
$connect_string .= $CRLF;
$self->SUPER::send($connect_string);
my $header = "";
while ($header !~ m/\r\n\r\n$/s) {
my $h = "";
my $n = $self->SUPER::sysread($h, 8192);
last unless ($n);
$header .= $h;
}
my $conn_ok = ($header =~ /HTTP\/\d+\.\d+\s+200\s+/is) ? 1 : 0;
Instead of the existing...
$connect_string .= $CRLF;
$self->SUPER::send($connect_string);
my $header;
my $n = $self->SUPER::sysread($header, 8192);
my $conn_ok = ($header =~ /HTTP\/\d+\.\d+\s+200\s+/is) ? 1 : 0;