SSL: abort handshake on SSL_set_SSL_CTX() errors.

In rare cases, such as memory allocation failure, SSL_set_SSL_CTX() returns NULL, which could mean that a different SSL configuration has not been set. Note that this new behaviour seemingly originated in OpenSSL-1.1.0 release.
author: Sergey Kandaurov <pluknet@nginx.com> 2020-09-24 15:51:29 +0300
committer: Sergey Kandaurov <pluknet@nginx.com> 2020-09-24 15:51:29 +0300
commit: 3bbeb1b8de857409c3dc9da45eb963d13b126537 (patch)
tree: f3806ffd54b02113955c337089b2280561888d10 /src/http/ngx_http_request.c
parent: 6c89d752c8ab3a3cc0832927484808b68153f8c4 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index f80785d8f..2a0528c68 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -932,7 +932,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     c->ssl->buffer_size = sscf->buffer_size;
 
     if (sscf->ssl.ctx) {
-        SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);
+        if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
+            *ad = SSL_AD_INTERNAL_ERROR;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
 
         /*
          * SSL_set_SSL_CTX() only changes certs as of 1.0.0d
author	Sergey Kandaurov <pluknet@nginx.com>	2020-09-24 15:51:29 +0300
committer	Sergey Kandaurov <pluknet@nginx.com>	2020-09-24 15:51:29 +0300
commit	3bbeb1b8de857409c3dc9da45eb963d13b126537 (patch)
tree	f3806ffd54b02113955c337089b2280561888d10 /src/http/ngx_http_request.c
parent	6c89d752c8ab3a3cc0832927484808b68153f8c4 (diff)