SSL: avoid calling SSL_shutdown() during handshake (ticket #901).

This fixes "called a function you should not call" and "shutdown while in init" errors as observed with OpenSSL 1.0.2f due to changes in how OpenSSL handles SSL_shutdown() during SSL handshakes.
author: Maxim Dounin <mdounin@mdounin.ru> 2016-02-19 17:27:30 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2016-02-19 17:27:30 +0300
commit: 7b232ef5aa31e228da64ae6dce3873ccedbfb2c0 (patch)
tree: cb64e229139cb34e2b7b8399bb5baad5f8d7bb7f /src
parent: 89d3762863b324e8bfabd24e41bc0003fc946601 (diff)
download: nginx-7b232ef5aa31e228da64ae6dce3873ccedbfb2c0.tar.gz
nginx-7b232ef5aa31e228da64ae6dce3873ccedbfb2c0.zip
1 files changed, 13 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 1ca1945e5..de10d48a5 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1767,6 +1767,19 @@ ngx_ssl_shutdown(ngx_connection_t *c)
     int        n, sslerr, mode;
     ngx_err_t  err;
 
+    if (SSL_in_init(c->ssl->connection)) {
+        /*
+         * OpenSSL 1.0.2f complains if SSL_shutdown() is called during
+         * an SSL handshake, while previous versions always return 0.
+         * Avoid calling SSL_shutdown() if handshake wasn't completed.
+         */
+
+        SSL_free(c->ssl->connection);
+        c->ssl = NULL;
+
+        return NGX_OK;
+    }
+
     if (c->timedout) {
         mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN;
         SSL_set_quiet_shutdown(c->ssl->connection, 1);
author	Maxim Dounin <mdounin@mdounin.ru>	2016-02-19 17:27:30 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2016-02-19 17:27:30 +0300
commit	7b232ef5aa31e228da64ae6dce3873ccedbfb2c0 (patch)
tree	cb64e229139cb34e2b7b8399bb5baad5f8d7bb7f /src
parent	89d3762863b324e8bfabd24e41bc0003fc946601 (diff)
download	nginx-7b232ef5aa31e228da64ae6dce3873ccedbfb2c0.tar.gz nginx-7b232ef5aa31e228da64ae6dce3873ccedbfb2c0.zip