This looks like a bug fixed in the apache 2.1 tree (the current CVS Head of the httpd-2.0 repository.)
I checked the CVS repository and found the fix you are referring to. Apparently this was already backported to the 2.0 branch (2.0 diff attached). We patched the Apache 2.0, but the problem is not fixed. Is this the only patch that is needed?
The problem also only occurs when use our custom hook. The Apache process does not hang when using standard CA auth.
We had not reset the BIO information to a blocking read in every possible path through the filtering code (e.g. a read-back from the client during a write operation was required to be a blocking read, but the last client read state may have been blocking. We neglected to reset it.)
This is now fixed in the current code, and checking out the httpd-2.0 repository and building apache's current development tree will help us to confirm the fix. Thank you for the note.
-- ir. Kris Verbeeck Software Engineer
Ubizen - Ubicenter - Philipssite 5 - 3001 Leuven - Belgium T: +32 16 28 70 64 F: +32 16 28 70 77
Ubizen - We Secure e-business - www.ubizen.com
=================================================================== RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_io.c,v retrieving revision 1.100.2.4 retrieving revision 1.100.2.5 diff -u -r1.100.2.4 -r1.100.2.5 --- httpd-2.0/modules/ssl/ssl_engine_io.c 2003/04/05 19:04:43 1.100.2.4 +++ httpd-2.0/modules/ssl/ssl_engine_io.c 2003/07/28 02:02:24 1.100.2.5 @@ -1275,6 +1275,8 @@ { apr_status_t status = APR_SUCCESS; ssl_filter_ctx_t *filter_ctx = f->ctx; + bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *) + (filter_ctx->pbioRead->ptr); if (f->c->aborted) { apr_brigade_cleanup(bb); @@ -1286,6 +1288,13 @@ return ap_pass_brigade(f->next, bb); } + /* When we are the writer, we must initialize the inctx + * mode so that we block for any required ssl input, because + * output filtering is always nonblocking. + */ + inctx->mode = AP_MODE_READBYTES; + inctx->block = APR_BLOCK_READ; + if ((status = ssl_io_filter_connect(filter_ctx)) != APR_SUCCESS) { return ssl_io_filter_error(f, bb, status); } @@ -1359,15 +1368,16 @@ filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); filter_ctx->pbioRead->ptr = (void *)inctx; - inctx->filter_ctx = filter_ctx; inctx->ssl = ssl; inctx->bio_out = filter_ctx->pbioWrite; inctx->f = filter_ctx->pInputFilter; - inctx->bb = apr_brigade_create(c->pool, c->bucket_alloc); - + inctx->rc = APR_SUCCESS; + inctx->mode = AP_MODE_READBYTES; inctx->cbuf.length = 0; - + inctx->bb = apr_brigade_create(c->pool, c->bucket_alloc); + inctx->block = APR_BLOCK_READ; inctx->pool = c->pool; + inctx->filter_ctx = filter_ctx; } void ssl_io_filter_init(conn_rec *c, SSL *ssl)