diff options
author | Sergey Kandaurov <pluknet@nginx.com> | 2020-09-24 15:51:29 +0300 |
---|---|---|
committer | Sergey Kandaurov <pluknet@nginx.com> | 2020-09-24 15:51:29 +0300 |
commit | 3bbeb1b8de857409c3dc9da45eb963d13b126537 (patch) | |
tree | f3806ffd54b02113955c337089b2280561888d10 /src/http/ngx_http_request.c | |
parent | 6c89d752c8ab3a3cc0832927484808b68153f8c4 (diff) |
SSL: abort handshake on SSL_set_SSL_CTX() errors.
In rare cases, such as memory allocation failure, SSL_set_SSL_CTX() returns
NULL, which could mean that a different SSL configuration has not been set.
Note that this new behaviour seemingly originated in OpenSSL-1.1.0 release.
Diffstat (limited to 'src/http/ngx_http_request.c')
-rw-r--r-- | src/http/ngx_http_request.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index f80785d8f..2a0528c68 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -932,7 +932,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) c->ssl->buffer_size = sscf->buffer_size; if (sscf->ssl.ctx) { - SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx); + if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) { + *ad = SSL_AD_INTERNAL_ERROR; + return SSL_TLSEXT_ERR_ALERT_FATAL; + } /* * SSL_set_SSL_CTX() only changes certs as of 1.0.0d |