h2o · kazuho · Oct 26, 2017 · Oct 26, 2017 · Oct 26, 2017 · Oct 26, 2017
diff --git a/examples/libh2o/http1client.c b/examples/libh2o/http1client.c
@@ -74,6 +74,12 @@ static void start_request(h2o_http1client_ctx_t *ctx)
         h2o_socketpool_init_specific(sockpool, 10, &url_parsed, 1);
         h2o_socketpool_set_timeout(sockpool, 5000 /* in msec */);
         h2o_socketpool_register_loop(sockpool, ctx->loop);
+
+        SSL_CTX *ssl_ctx = SSL_CTX_new(TLSv1_client_method());
+        SSL_CTX_load_verify_locations(ssl_ctx, H2O_TO_STR(H2O_ROOT) "/share/h2o/ca-bundle.crt", NULL);
+        SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+        h2o_socketpool_set_ssl_ctx(sockpool, ssl_ctx);
+        SSL_CTX_free(ssl_ctx);
     }
     h2o_http1client_connect(NULL, req, ctx, sockpool, &url_parsed, on_connect, 0);
 }
@@ -213,9 +219,6 @@ int main(int argc, char **argv)
     SSL_load_error_strings();
     SSL_library_init();
     OpenSSL_add_all_algorithms();
-    ctx.ssl_ctx = SSL_CTX_new(TLSv1_client_method());
-    SSL_CTX_load_verify_locations(ctx.ssl_ctx, H2O_TO_STR(H2O_ROOT) "/share/h2o/ca-bundle.crt", NULL);
-    SSL_CTX_set_verify(ctx.ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
 
     while ((opt = getopt(argc, argv, "t:m:b:c:i:")) != -1) {
         switch (opt) {

diff --git a/fuzz/driver.cc b/fuzz/driver.cc
@@ -358,7 +358,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
         hostconf = h2o_config_register_host(&config, h2o_iovec_init(H2O_STRLIT(unix_listener)), 65535);
         register_handler(hostconf, "/chunked-test", chunked_test);
         h2o_url_parse(unix_listener, strlen(unix_listener), &upstream);
-        h2o_proxy_register_reverse_proxy(h2o_config_register_path(hostconf, "/reproxy-test", 0), &upstream, 1, &proxy_config);
+        h2o_proxy_register_reverse_proxy(h2o_config_register_path(hostconf, "/reproxy-test", 0), &upstream, 1, 2000, NULL,
+                                         &proxy_config);
         h2o_file_register(h2o_config_register_path(hostconf, "/", 0), "./examples/doc_root", NULL, NULL, 0);
 
         loop = h2o_evloop_create();

diff --git a/include/h2o.h b/include/h2o.h
@@ -404,10 +404,6 @@ struct st_h2o_globalconf_t {
          * io timeout (in milliseconds)
          */
         uint64_t first_byte_timeout;
-        /**
-         * SSL context for connections initiated by the proxy (optional, governed by the application)
-         */
-        SSL_CTX *ssl_ctx;
         /**
          * a boolean flag if set to true, instructs the proxy to preserve the x-forwarded-proto header passed by the client
          */
@@ -1871,21 +1867,19 @@ typedef struct st_h2o_proxy_config_vars_t {
     uint64_t first_byte_timeout;
     unsigned preserve_host : 1;
     unsigned use_proxy_protocol : 1;
-    uint64_t keepalive_timeout; /* in milliseconds; set to zero to disable keepalive */
     struct {
         int enabled;
         uint64_t timeout;
     } websocket;
     h2o_headers_command_t *headers_cmds;
-    SSL_CTX *ssl_ctx; /* optional */
     size_t max_buffer_size;
 } h2o_proxy_config_vars_t;
 
 /**
  * registers the reverse proxy handler to the context
  */
-void h2o_proxy_register_reverse_proxy(h2o_pathconf_t *pathconf, h2o_url_t *upstreams, size_t count,
-                                      h2o_proxy_config_vars_t *config);
+void h2o_proxy_register_reverse_proxy(h2o_pathconf_t *pathconf, h2o_url_t *upstreams, size_t num_upstreams,
+                                      uint64_t keepalive_timeout, SSL_CTX *ssl_ctx, h2o_proxy_config_vars_t *config);
 /**
  * registers the configurator
  */

diff --git a/include/h2o/http1client.h b/include/h2o/http1client.h
@@ -55,7 +55,6 @@ typedef struct st_h2o_http1client_ctx_t {
     h2o_timeout_t *connect_timeout;
     h2o_timeout_t *first_byte_timeout;
     h2o_timeout_t *websocket_timeout; /* NULL if upgrade to websocket is not allowed */
-    SSL_CTX *ssl_ctx;
 } h2o_http1client_ctx_t;
 
 struct st_h2o_http1client_t {

diff --git a/include/h2o/socketpool.h b/include/h2o/socketpool.h
@@ -87,6 +87,7 @@ typedef struct st_h2o_socketpool_t {
         h2o_timeout_t timeout;
         h2o_timeout_entry_t entry;
     } _interval_cb;
+    SSL_CTX *_ssl_ctx;
 
     /* vars that are modified by multiple threads */
     struct {
@@ -126,6 +127,10 @@ static uint64_t h2o_socketpool_get_timeout(h2o_socketpool_t *pool);
  *
  */
 static void h2o_socketpool_set_timeout(h2o_socketpool_t *pool, uint64_t msec);
+/**
+ *
+ */
+void h2o_socketpool_set_ssl_ctx(h2o_socketpool_t *pool, SSL_CTX *ssl_ctx);
 /**
  * associates a loop
  */

diff --git a/lib/common/http1client.c b/lib/common/http1client.c
@@ -532,24 +532,6 @@ static void on_connection_ready(struct st_h2o_http1client_private_t *client)
     h2o_timeout_link(client->super.ctx->loop, client->super.ctx->io_timeout, &client->_timeout);
 }
 
-static void on_handshake_complete(h2o_socket_t *sock, const char *err)
-{
-    struct st_h2o_http1client_private_t *client = sock->data;
-    h2o_timeout_unlink(&client->_timeout);
-
-    if (err == NULL) {
-        /* success */
-    } else if (err == h2o_socket_error_ssl_cert_name_mismatch &&
-               (SSL_CTX_get_verify_mode(client->super.ctx->ssl_ctx) & SSL_VERIFY_PEER) == 0) {
-        /* peer verification skipped */
-    } else {
-        on_connect_error(client, err);
-        return;
-    }
-
-    on_connection_ready(client);
-}
-
 static void on_pool_connect(h2o_socket_t *sock, const char *errstr, void *data, h2o_url_t *origin)
 {
     struct st_h2o_http1client_private_t *client = data;
@@ -566,13 +548,6 @@ static void on_pool_connect(h2o_socket_t *sock, const char *errstr, void *data,
     client->super.sock = sock;
     sock->data = client;
     client->_origin = origin;
-
-    /* perform TLS handshake if necessary */
-    if (client->_origin->scheme->is_ssl && sock->ssl == NULL) {
-        h2o_socket_ssl_handshake(client->super.sock, client->super.ctx->ssl_ctx, client->_origin->host.base, on_handshake_complete);
-        return;
-    }
-
     h2o_timeout_unlink(&client->_timeout);
 
     on_connection_ready(client);

diff --git a/lib/common/socketpool.c b/lib/common/socketpool.c
@@ -289,6 +289,9 @@ void h2o_socketpool_dispose(h2o_socketpool_t *pool)
     if (pool->_lb.dispose != NULL)
         pool->_lb.dispose(pool->_lb.data);
 
+    if (pool->_ssl_ctx != NULL)
+        SSL_CTX_free(pool->_ssl_ctx);
+
     if (pool->_interval_cb.loop != NULL)
         h2o_socketpool_unregister_loop(pool, pool->_interval_cb.loop);
 
@@ -298,6 +301,15 @@ void h2o_socketpool_dispose(h2o_socketpool_t *pool)
     free(pool->targets.entries);
 }
 
+void h2o_socketpool_set_ssl_ctx(h2o_socketpool_t *pool, SSL_CTX *ssl_ctx)
+{
+    if (pool->_ssl_ctx != NULL)
+        SSL_CTX_free(pool->_ssl_ctx);
+    if (ssl_ctx != NULL)
+        SSL_CTX_up_ref(ssl_ctx);
+    pool->_ssl_ctx = ssl_ctx;
+}
+
 void h2o_socketpool_register_loop(h2o_socketpool_t *pool, h2o_loop_t *loop)
 {
     if (pool->_interval_cb.loop != NULL)
@@ -359,6 +371,22 @@ static void try_connect(h2o_socketpool_connect_request_t *req)
     }
 }
 
+static void on_handshake_complete(h2o_socket_t *sock, const char *err)
+{
+    h2o_socketpool_connect_request_t *req = sock->data;
+
+    assert(req->sock == sock);
+
+    if (err == h2o_socket_error_ssl_cert_name_mismatch && (SSL_CTX_get_verify_mode(req->pool->_ssl_ctx) & SSL_VERIFY_PEER) == 0) {
+        /* ignore CN mismatch if we are not verifying peer */
+    } else if (err != NULL) {
+        h2o_socket_close(sock);
+        req->sock = NULL;
+    }
+
+    call_connect_cb(req, err);
+}
+
 static void on_connect(h2o_socket_t *sock, const char *err)
 {
     h2o_socketpool_connect_request_t *req = sock->data;
@@ -370,12 +398,20 @@ static void on_connect(h2o_socket_t *sock, const char *err)
         h2o_socket_close(sock);
         if (req->remaining_try_count == 0) {
             req->sock = NULL;
-            errstr = "connection failed";
+            errstr = "connection failed"; /* shouldn't we return err? */
         } else {
             try_connect(req);
             return;
         }
+    } else {
+        h2o_url_t *target_url = &req->pool->targets.entries[req->selected_target]->url;
+        if (target_url->scheme->is_ssl) {
+            assert(req->pool->_ssl_ctx != NULL && "h2o_socketpool_set_ssl_ctx must be called for a pool that contains SSL target");
+            h2o_socket_ssl_handshake(sock, req->pool->_ssl_ctx, target_url->host.base, on_handshake_complete);
+            return;
+        }
     }
+
     call_connect_cb(req, errstr);
 }
 

diff --git a/lib/core/config.c b/lib/core/config.c
@@ -193,7 +193,7 @@ void h2o_config_init(h2o_globalconf_t *config)
     config->http2.latency_optimization.max_cwnd = 65535;
     config->http2.callbacks = H2O_HTTP2_CALLBACKS;
     config->mimemap = h2o_mimemap_create();
-    h2o_socketpool_init_global(&config->proxy.global_socketpool, SIZE_MAX /* FIXME */);
+    h2o_socketpool_init_global(&config->proxy.global_socketpool, SIZE_MAX);
 
     h2o_configurator__init_core(config);
 }

diff --git a/lib/core/context.c b/lib/core/context.c
@@ -110,7 +110,6 @@ void h2o_context_init(h2o_context_t *ctx, h2o_loop_t *loop, h2o_globalconf_t *co
     ctx->proxy.client_ctx.io_timeout = &ctx->proxy.io_timeout;
     ctx->proxy.client_ctx.connect_timeout = &ctx->proxy.connect_timeout;
     ctx->proxy.client_ctx.first_byte_timeout = &ctx->proxy.first_byte_timeout;
-    ctx->proxy.client_ctx.ssl_ctx = config->proxy.ssl_ctx;
 
     ctx->_module_configs = h2o_mem_alloc(sizeof(*ctx->_module_configs) * config->_num_config_slots);
     memset(ctx->_module_configs, 0, sizeof(*ctx->_module_configs) * config->_num_config_slots);