details: https://hg.nginx.org/nginx/rev/eb940fe579cf
branches:
changeset: 7712:eb940fe579cf
user: Sergey Kandaurov <pluknet@nginx.com>
date: Thu Sep 24 13:51:29 2020 +0100
description:
SSL: abort handshake on SSL_set_SSL_CTX() errors.

In rare cases, such as memory allocation failure, SSL_set_SSL_CTX() returns
NULL, which could mean that a different SSL configuration has not been set.
Note that this new behaviour seemingly originated in OpenSSL-1.1.0 release.

diffstat:

src/http/ngx_http_request.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)

diffs (15 lines):

diff -r 526dddf637bb -r eb940fe579cf src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Wed Sep 23 19:52:31 2020 +0300
+++ b/src/http/ngx_http_request.c Thu Sep 24 13:51:29 2020 +0100
@@ -932,7 +932,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
c->ssl->buffer_size = sscf->buffer_size;

if (sscf->ssl.ctx) {
- SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);
+ if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }

/*
* SSL_set_SSL_CTX() only changes certs as of 1.0.0d
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel