shrpx: Explicitly hold server SSL_CTX and client SSL_CTX

src/shrpx.cc

@@ -242,11 +242,12 @@ int event_loop()
 {
   event_base *evbase = event_base_new();
 
-  SSL_CTX *ssl_ctx = get_config()->client_mode ?
-    ssl::create_ssl_client_context() : get_config()->default_ssl_ctx;
-
-  ListenHandler *listener_handler = new ListenHandler(evbase, ssl_ctx);
+  SSL_CTX *sv_ssl_ctx = get_config()->default_ssl_ctx;
+  SSL_CTX *cl_ssl_ctx = get_config()->client_mode ?
+    ssl::create_ssl_client_context() : 0;
 
+  ListenHandler *listener_handler = new ListenHandler(evbase, sv_ssl_ctx,
+                                                      cl_ssl_ctx);
   if(get_config()->daemon) {
     if(daemon(0, 0) == -1) {
       LOG(FATAL) << "Failed to daemonize: " << strerror(errno);
@@ -269,7 +270,7 @@ int event_loop()
 
   if(get_config()->num_worker > 1) {
     listener_handler->create_worker_thread(get_config()->num_worker);
-  } else if(get_config()->client_mode) {
+  } else if(cl_ssl_ctx) {
     listener_handler->create_spdy_session();
   }
 

src/shrpx_client_handler.cc

@@ -272,7 +272,7 @@ DownstreamConnection* ClientHandler::get_downstream_connection()
       CLOG(INFO, this) << "Downstream connection pool is empty."
                        << " Create new one";
     }
-    if(get_config()->client_mode) {
+    if(spdy_) {
       return new SpdyDownstreamConnection(this);
     } else {
       return new HttpDownstreamConnection(this);

src/shrpx_client_handler.h

@@ -71,8 +71,8 @@ private:
   std::string ipaddr_;
   bool should_close_after_write_;
   std::set<DownstreamConnection*> dconn_pool_;
-  // Shared SPDY session for each thread. NULL if not client mode. Not
-  // deleted by this object.
+  // Shared SPDY session for each thread. NULL if backend is not
+  // SPDY. Not deleted by this object.
   SpdySession *spdy_;
 };
 

src/shrpx_listen_handler.cc

@@ -40,9 +40,11 @@
 
 namespace shrpx {
 
-ListenHandler::ListenHandler(event_base *evbase, SSL_CTX *ssl_ctx)
+ListenHandler::ListenHandler(event_base *evbase, SSL_CTX *sv_ssl_ctx,
+                             SSL_CTX *cl_ssl_ctx)
   : evbase_(evbase),
-    ssl_ctx_(ssl_ctx),
+    sv_ssl_ctx_(sv_ssl_ctx),
+    cl_ssl_ctx_(cl_ssl_ctx),
     worker_round_robin_cnt_(0),
     workers_(0),
     num_worker_(0),
@@ -68,7 +70,8 @@ void ListenHandler::create_worker_thread(size_t num)
       LLOG(ERROR, this) << "socketpair() failed: " << strerror(errno);
       continue;
     }
-    info->ssl_ctx = ssl_ctx_;
+    info->sv_ssl_ctx = sv_ssl_ctx_;
+    info->cl_ssl_ctx = cl_ssl_ctx_;
     rv = pthread_create(&thread, &attr, start_threaded_worker, info);
     if(rv != 0) {
       LLOG(ERROR, this) << "pthread_create() failed: " << strerror(rv);
@@ -94,11 +97,9 @@ int ListenHandler::accept_connection(evutil_socket_t fd,
     LLOG(INFO, this) << "Accepted connection. fd=" << fd;
   }
   if(num_worker_ == 0) {
-    ClientHandler* client =
-      ssl::accept_ssl_connection(evbase_, ssl_ctx_, fd, addr, addrlen);
-    if(get_config()->client_mode) {
+    ClientHandler* client = ssl::accept_connection(evbase_, sv_ssl_ctx_,
+                                                   fd, addr, addrlen);
     client->set_spdy_session(spdy_);
-    }
   } else {
     size_t idx = worker_round_robin_cnt_ % num_worker_;
     ++worker_round_robin_cnt_;
@@ -124,7 +125,7 @@ event_base* ListenHandler::get_evbase() const
 int ListenHandler::create_spdy_session()
 {
   int rv;
-  spdy_ = new SpdySession(evbase_, ssl_ctx_);
+  spdy_ = new SpdySession(evbase_, cl_ssl_ctx_);
   rv = spdy_->init_notification();
   return rv;
 }

src/shrpx_listen_handler.h

@@ -38,7 +38,8 @@ namespace shrpx {
 
 struct WorkerInfo {
   int sv[2];
-  SSL_CTX *ssl_ctx;
+  SSL_CTX *sv_ssl_ctx;
+  SSL_CTX *cl_ssl_ctx;
   bufferevent *bev;
 };
 
@@ -46,7 +47,7 @@ class SpdySession;
 
 class ListenHandler {
 public:
-  ListenHandler(event_base *evbase, SSL_CTX *ssl_ctx);
+  ListenHandler(event_base *evbase, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx);
   ~ListenHandler();
   int accept_connection(evutil_socket_t fd, sockaddr *addr, int addrlen);
   void create_worker_thread(size_t num);
@@ -54,14 +55,15 @@ public:
   int create_spdy_session();
 private:
   event_base *evbase_;
-  // In client-mode, this is for backend SPDY connection. Otherwise,
-  // for frontend.
-  SSL_CTX *ssl_ctx_;
+  // The frontend server SSL_CTX
+  SSL_CTX *sv_ssl_ctx_;
+  // The backend server SSL_CTX
+  SSL_CTX *cl_ssl_ctx_;
   unsigned int worker_round_robin_cnt_;
   WorkerInfo *workers_;
   size_t num_worker_;
-  // Shared SPDY session. NULL if not client mode or
-  // multi-threaded. In multi-threaded case, see shrpx_worker.cc.
+  // Shared backend SPDY session. NULL if multi-threaded. In
+  // multi-threaded case, see shrpx_worker.cc.
   SpdySession *spdy_;
 };
 

src/shrpx_ssl.cc

@@ -245,7 +245,7 @@ SSL_CTX* create_ssl_client_context()
   return ssl_ctx;
 }
 
-ClientHandler* accept_ssl_connection(event_base *evbase, SSL_CTX *ssl_ctx,
+ClientHandler* accept_connection(event_base *evbase, SSL_CTX *ssl_ctx,
                                  evutil_socket_t fd,
                                  sockaddr *addr, int addrlen)
 {
@@ -266,9 +266,7 @@ ClientHandler* accept_ssl_connection(event_base *evbase, SSL_CTX *ssl_ctx,
     }
     SSL *ssl = 0;
     bufferevent *bev;
-    if(get_config()->client_mode) {
-      bev = bufferevent_socket_new(evbase, fd, BEV_OPT_DEFER_CALLBACKS);
-    } else {
+    if(ssl_ctx) {
       ssl = SSL_new(ssl_ctx);
       if(!ssl) {
         LOG(ERROR) << "SSL_new() failed: "
@@ -278,6 +276,8 @@ ClientHandler* accept_ssl_connection(event_base *evbase, SSL_CTX *ssl_ctx,
       bev = bufferevent_openssl_socket_new
         (evbase, fd, ssl,
          BUFFEREVENT_SSL_ACCEPTING, BEV_OPT_DEFER_CALLBACKS);
+    } else {
+      bev = bufferevent_socket_new(evbase, fd, BEV_OPT_DEFER_CALLBACKS);
     }
     ClientHandler *client_handler = new ClientHandler(bev, fd, ssl, host);
     return client_handler;

src/shrpx_ssl.h

@@ -45,7 +45,7 @@ SSL_CTX* create_ssl_context(const char *private_key_file,
 
 SSL_CTX* create_ssl_client_context();
 
-ClientHandler* accept_ssl_connection(event_base *evbase, SSL_CTX *ssl_ctx,
+ClientHandler* accept_connection(event_base *evbase, SSL_CTX *ssl_ctx,
                                  evutil_socket_t fd,
                                  sockaddr *addr, int addrlen);
 

src/shrpx_thread_event_receiver.cc

@@ -58,7 +58,7 @@ void ThreadEventReceiver::on_read(bufferevent *bev)
     }
     event_base *evbase = bufferevent_get_base(bev);
     ClientHandler *client_handler;
-    client_handler = ssl::accept_ssl_connection(evbase, ssl_ctx_,
+    client_handler = ssl::accept_connection(evbase, ssl_ctx_,
                                             wev.client_fd,
                                             &wev.client_addr.sa,
                                             wev.client_addrlen);

src/shrpx_worker.cc

@@ -39,7 +39,8 @@ namespace shrpx {
 
 Worker::Worker(WorkerInfo *info)
   : fd_(info->sv[1]),
-    ssl_ctx_(info->ssl_ctx)
+    sv_ssl_ctx_(info->sv_ssl_ctx),
+    cl_ssl_ctx_(info->cl_ssl_ctx)
 {}
 
 Worker::~Worker()
@@ -74,13 +75,13 @@ void Worker::run()
   bufferevent *bev = bufferevent_socket_new(evbase, fd_,
                                             BEV_OPT_DEFER_CALLBACKS);
   SpdySession *spdy = 0;
-  if(get_config()->client_mode) {
-    spdy = new SpdySession(evbase, ssl_ctx_);
+  if(cl_ssl_ctx_) {
+    spdy = new SpdySession(evbase, cl_ssl_ctx_);
     if(spdy->init_notification() == -1) {
       DIE();
     }
   }
-  ThreadEventReceiver *receiver = new ThreadEventReceiver(ssl_ctx_, spdy);
+  ThreadEventReceiver *receiver = new ThreadEventReceiver(sv_ssl_ctx_, spdy);
   bufferevent_enable(bev, EV_READ);
   bufferevent_setcb(bev, readcb, 0, eventcb, receiver);
 

src/shrpx_worker.h

@@ -42,7 +42,8 @@ public:
 private:
   // Channel to the main thread
   int fd_;
-  SSL_CTX *ssl_ctx_;
+  SSL_CTX *sv_ssl_ctx_;
+  SSL_CTX *cl_ssl_ctx_;
 };
 
 void* start_threaded_worker(void *arg);