diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2018-10-02 17:46:18 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2018-10-02 17:46:18 +0300 |
| commit | 53803b4780be15d8014be183d4161091fd5f3376 (patch) | |
| tree | 30148d38063311ba72b08ba52839e4cedb479f7b /src/http/ngx_http_request.c | |
| parent | df0dfa634d54904ea9e0714547547131a6b2da10 (diff) | |
SSL: fixed segfault on renegotiation (ticket #1646).
In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled
if SSL_OP_NO_RENEGOTIATION is available. But since SSL_OP_NO_RENEGOTIATION
is only set on a connection, not in an SSL context, SSL_clear_option()
removed it as long as a matching virtual server was found. This resulted
in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8),
affecting nginx built with OpenSSL 1.1.0h or higher.
To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in
ngx_http_ssl_servername() after adjusting options. Additionally, instead
of c->ssl->renegotiation we now check c->ssl->handshaked, which seems
to be a more correct flag to test, and will prevent the segmentation fault
from happening even if SSL_OP_NO_RENEGOTIATION is not working.
Diffstat (limited to 'src/http/ngx_http_request.c')
| -rw-r--r-- | src/http/ngx_http_request.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index c80df6e66..7dd28b8c2 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -854,7 +854,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) c = ngx_ssl_get_connection(ssl_conn); - if (c->ssl->renegotiation) { + if (c->ssl->handshaked) { return SSL_TLSEXT_ERR_NOACK; } @@ -919,6 +919,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) #endif SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx)); + +#ifdef SSL_OP_NO_RENEGOTIATION + SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION); +#endif } return SSL_TLSEXT_ERR_OK; |