aboutsummaryrefslogtreecommitdiff
path: root/src/stream/ngx_stream_proxy_module.c
diff options
context:
space:
mode:
authorMaxim Dounin <mdounin@mdounin.ru>2018-10-02 17:46:18 +0300
committerMaxim Dounin <mdounin@mdounin.ru>2018-10-02 17:46:18 +0300
commit53803b4780be15d8014be183d4161091fd5f3376 (patch)
tree30148d38063311ba72b08ba52839e4cedb479f7b /src/stream/ngx_stream_proxy_module.c
parentdf0dfa634d54904ea9e0714547547131a6b2da10 (diff)
downloadnginx-53803b4780be15d8014be183d4161091fd5f3376.tar.gz
nginx-53803b4780be15d8014be183d4161091fd5f3376.zip
SSL: fixed segfault on renegotiation (ticket #1646).
In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled if SSL_OP_NO_RENEGOTIATION is available. But since SSL_OP_NO_RENEGOTIATION is only set on a connection, not in an SSL context, SSL_clear_option() removed it as long as a matching virtual server was found. This resulted in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8), affecting nginx built with OpenSSL 1.1.0h or higher. To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in ngx_http_ssl_servername() after adjusting options. Additionally, instead of c->ssl->renegotiation we now check c->ssl->handshaked, which seems to be a more correct flag to test, and will prevent the segmentation fault from happening even if SSL_OP_NO_RENEGOTIATION is not working.
Diffstat (limited to 'src/stream/ngx_stream_proxy_module.c')
0 files changed, 0 insertions, 0 deletions