1.1--- a/config.c	Thu Jan 28 12:43:17 2010 +0100
     1.2+++ b/config.c	Thu Jan 28 13:58:58 2010 +0100
     1.3@@ -74,7 +74,7 @@
     1.4 
     1.5 static regex_t  Empty, Comment, User, Group, RootJail, Daemon, LogFacility, LogLevel, Alive, SSLEngine, Control;
     1.6 static regex_t  ListenHTTP, ListenHTTPS, End, Address, Port, Cert, xHTTP, Client, CheckURL;
     1.7-static regex_t  Err414, Err500, Err501, Err503, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination;
     1.8+static regex_t  Err414, Err500, Err501, Err503, ErrNoSsl, MaxRequest, HeadRemove, RewriteLocation, RewriteDestination;
     1.9 static regex_t  Service, ServiceName, URL, HeadRequire, HeadDeny, BackEnd, Emergency, Priority, HAport, HAportAddr;
    1.10 static regex_t  Redirect, RedirectN, TimeOut, Session, Type, TTL, ID, DynScale;
    1.11 static regex_t  ClientCert, AddHeader, Ciphers, CAlist, VerifyList, CRLlist, NoHTTPS11;
    1.12@@ -825,6 +825,7 @@
    1.13     res->err500 = "An internal server error occurred. Please try again later.";
    1.14     res->err501 = "This method may not be used.";
    1.15     res->err503 = "The service is not available. Please try again later.";
    1.16+    res->errnossl= "Please use HTTPS.";
    1.17     res->log_level = log_level;
    1.18     if(regcomp(&res->verb, xhttp[0], REG_ICASE | REG_NEWLINE | REG_EXTENDED)) {
    1.19         logmsg(LOG_ERR, "line %d: xHTTP bad default pattern - aborted", n_lin);
    1.20@@ -894,6 +895,9 @@
    1.21         } else if(!regexec(&Err503, lin, 4, matches, 0)) {
    1.22             lin[matches[1].rm_eo] = '\0';
    1.23             res->err503 = file2str(lin + matches[1].rm_so);
    1.24+        } else if(!regexec(&ErrNoSsl, lin, 4, matches, 0)) {
    1.25+            lin[matches[1].rm_eo] = '\0';
    1.26+            res->errnossl = file2str(lin + matches[1].rm_so);
    1.27         } else if(!regexec(&MaxRequest, lin, 4, matches, 0)) {
    1.28             res->max_req = atol(lin + matches[1].rm_so);
    1.29         } else if(!regexec(&HeadRemove, lin, 4, matches, 0)) {
    1.30@@ -1229,6 +1233,7 @@
    1.31     || regcomp(&Err500, "^[ \t]*Err500[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
    1.32     || regcomp(&Err501, "^[ \t]*Err501[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
    1.33     || regcomp(&Err503, "^[ \t]*Err503[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
    1.34+    || regcomp(&ErrNoSsl, "^[ \t]*ErrNoSsl[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
    1.35     || regcomp(&MaxRequest, "^[ \t]*MaxRequest[ \t]+([1-9][0-9]*)[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
    1.36     || regcomp(&HeadRemove, "^[ \t]*HeadRemove[ \t]+\"(.+)\"[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
    1.37     || regcomp(&RewriteLocation, "^[ \t]*RewriteLocation[ \t]+([012])[ \t]*$", REG_ICASE | REG_NEWLINE | REG_EXTENDED)
    1.38@@ -1383,6 +1388,7 @@
    1.39     regfree(&Err500);
    1.40     regfree(&Err501);
    1.41     regfree(&Err503);
    1.42+    regfree(&ErrNoSsl);
    1.43     regfree(&MaxRequest);
    1.44     regfree(&HeadRemove);
    1.45     regfree(&RewriteLocation);

     2.1--- a/http.c	Thu Jan 28 12:43:17 2010 +0100
     2.2+++ b/http.c	Thu Jan 28 13:58:58 2010 +0100
     2.3@@ -32,6 +32,7 @@
     2.4 static char *h500 = "500 Internal Server Error",
     2.5             *h501 = "501 Not Implemented",
     2.6             *h503 = "503 Service Unavailable",
     2.7+            *h400 = "400 Bad Request",
     2.8             *h414 = "414 Request URI too long";
     2.9 
    2.10 static char *err_response = "HTTP/1.0 %s\r\nContent-Type: text/html\r\nContent-Length: %d\r\nExpires: now\r\nPragma: no-cache\r\nCache-control: no-cache,no-store\r\n\r\n%s";
    2.11@@ -490,7 +491,7 @@
    2.12     BACKEND             *backend, *cur_backend, *old_backend;
    2.13     struct addrinfo     from_host, z_addr;
    2.14     struct sockaddr_storage from_host_addr;
    2.15-    BIO                 *cl, *be, *bb, *b64;
    2.16+    BIO                 *oldcl, *cl, *be, *bb, *b64;
    2.17     X509                *x509;
    2.18     char                request[MAXBUF], response[MAXBUF], buf[MAXBUF], url[MAXBUF], loc_path[MAXBUF], **headers,
    2.19                         headers_ok[MAXHEADERS], v_host[MAXBUF], referer[MAXBUF], u_agent[MAXBUF], u_name[MAXBUF],
    2.20@@ -553,14 +554,14 @@
    2.21         }
    2.22         BIO_set_ssl(bb, ssl, BIO_CLOSE);
    2.23         BIO_set_ssl_mode(bb, 0);
    2.24+
    2.25+        oldcl = cl;
    2.26         cl = bb;
    2.27         if(BIO_do_handshake(cl) <= 0) {
    2.28-            /* no need to log every client without a certificate...
    2.29-            addr2str(caddr, MAXBUF - 1, &from_host, 1);
    2.30-            logmsg(LOG_NOTICE, "BIO_do_handshake with %s failed: %s", caddr,
    2.31-                ERR_error_string(ERR_get_error(), NULL));
    2.32-            x509 = NULL;
    2.33-            */
    2.34+            if ((ERR_GET_REASON(ERR_peek_error()) == SSL_R_HTTP_REQUEST)
    2.35+            && (ERR_GET_LIB(ERR_peek_error()) == ERR_LIB_SSL)) {
    2.36+                err_reply(oldcl, h400, lstn->errnossl);
    2.37+            }
    2.38             BIO_reset(cl);
    2.39             BIO_free_all(cl);
    2.40             pthread_exit(NULL);

     3.1--- a/pound.h	Thu Jan 28 12:43:17 2010 +0100
     3.2+++ b/pound.h	Thu Jan 28 13:58:58 2010 +0100
     3.3@@ -357,7 +357,8 @@
     3.4     char                *err414,    /* error messages */
     3.5                         *err500,
     3.6                         *err501,
     3.7-                        *err503;
     3.8+                        *err503,
     3.9+                        *errnossl;
    3.10     long                max_req;    /* max. request size */
    3.11     MATCHER             *head_off;  /* headers to remove */
    3.12     int                 rewr_loc;   /* rewrite location response */