aboutsummaryrefslogtreecommitdiff
path: root/src/event/ngx_event_openssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/event/ngx_event_openssl.c')
-rw-r--r--src/event/ngx_event_openssl.c28
1 files changed, 25 insertions, 3 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 8963c8124..0681ca3a2 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -567,10 +567,17 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
{
char *err;
X509 *x509;
+ u_long n;
EVP_PKEY *pkey;
+ ngx_uint_t mask;
STACK_OF(X509) *chain;
- chain = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_CERT,
+ mask = 0;
+
+retry:
+
+ chain = ngx_ssl_cache_connection_fetch(cache, pool,
+ NGX_SSL_CACHE_CERT | mask,
&err, cert, NULL);
if (chain == NULL) {
if (err != NULL) {
@@ -611,7 +618,8 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
#endif
- pkey = ngx_ssl_cache_connection_fetch(cache, pool, NGX_SSL_CACHE_PKEY,
+ pkey = ngx_ssl_cache_connection_fetch(cache, pool,
+ NGX_SSL_CACHE_PKEY | mask,
&err, key, passwords);
if (pkey == NULL) {
if (err != NULL) {
@@ -624,9 +632,23 @@ ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
}
if (SSL_use_PrivateKey(c->ssl->connection, pkey) == 0) {
+ EVP_PKEY_free(pkey);
+
+ /* there can be mismatched pairs on uneven cache update */
+
+ n = ERR_peek_last_error();
+
+ if (ERR_GET_LIB(n) == ERR_LIB_X509
+ && ERR_GET_REASON(n) == X509_R_KEY_VALUES_MISMATCH
+ && mask == 0)
+ {
+ ERR_clear_error();
+ mask = NGX_SSL_CACHE_INVALIDATE;
+ goto retry;
+ }
+
ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
"SSL_use_PrivateKey(\"%s\") failed", key->data);
- EVP_PKEY_free(pkey);
return NGX_ERROR;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-18 22:38:13 +0000