Welcome! Log In Create A New Profile

Advanced

[nginx] SSL: fixed non-working SSL shutdown on lingering close.

November 06, 2020 03:46PM
details: https://hg.nginx.org/nginx/rev/554c6ae25ffc
branches:
changeset: 7738:554c6ae25ffc
user: Ruslan Ermilov <ru@nginx.com>
date: Fri Nov 06 23:44:54 2020 +0300
description:
SSL: fixed non-working SSL shutdown on lingering close.

When doing lingering close, the socket was first shut down for writing,
so SSL shutdown initiated after lingering close was not able to send
the close_notify alerts (ticket #2056).

The fix is to call ngx_ssl_shutdown() before shutting down the socket.

diffstat:

src/http/ngx_http_request.c | 39 +++++++++++++++++++++++++++++-------
src/http/ngx_http_request_body.c | 1 +
src/http/v2/ngx_http_v2.c | 42 +++++++++++++++++++++++++++++++--------
3 files changed, 65 insertions(+), 17 deletions(-)

diffs (185 lines):

diff -r ed17a2a95c8d -r 554c6ae25ffc src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Fri Nov 06 23:44:47 2020 +0300
+++ b/src/http/ngx_http_request.c Fri Nov 06 23:44:54 2020 +0300
@@ -49,7 +49,7 @@ static void ngx_http_request_finalizer(n

static void ngx_http_set_keepalive(ngx_http_request_t *r);
static void ngx_http_keepalive_handler(ngx_event_t *ev);
-static void ngx_http_set_lingering_close(ngx_http_request_t *r);
+static void ngx_http_set_lingering_close(ngx_connection_t *c);
static void ngx_http_lingering_close_handler(ngx_event_t *ev);
static ngx_int_t ngx_http_post_action(ngx_http_request_t *r);
static void ngx_http_close_request(ngx_http_request_t *r, ngx_int_t error);
@@ -2754,7 +2754,7 @@ ngx_http_finalize_connection(ngx_http_re
|| r->header_in->pos < r->header_in->last
|| r->connection->read->ready)))
{
- ngx_http_set_lingering_close(r);
+ ngx_http_set_lingering_close(r->connection);
return;
}

@@ -3368,22 +3368,43 @@ ngx_http_keepalive_handler(ngx_event_t *


static void
-ngx_http_set_lingering_close(ngx_http_request_t *r)
+ngx_http_set_lingering_close(ngx_connection_t *c)
{
ngx_event_t *rev, *wev;
- ngx_connection_t *c;
+ ngx_http_request_t *r;
ngx_http_core_loc_conf_t *clcf;

- c = r->connection;
+ r = c->data;

clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

+ if (r->lingering_time == 0) {
+ r->lingering_time = ngx_time() + (time_t) (clcf->lingering_time / 1000);
+ }
+
+#if (NGX_HTTP_SSL)
+ if (c->ssl) {
+ ngx_int_t rc;
+
+ rc = ngx_ssl_shutdown(c);
+
+ if (rc == NGX_ERROR) {
+ ngx_http_close_request(r, 0);
+ return;
+ }
+
+ if (rc == NGX_AGAIN) {
+ c->ssl->handler = ngx_http_set_lingering_close;
+ return;
+ }
+
+ c->recv = ngx_recv;
+ }
+#endif
+
rev = c->read;
rev->handler = ngx_http_lingering_close_handler;

- r->lingering_time = ngx_time() + (time_t) (clcf->lingering_time / 1000);
- ngx_add_timer(rev, clcf->lingering_timeout);
-
if (ngx_handle_read_event(rev, 0) != NGX_OK) {
ngx_http_close_request(r, 0);
return;
@@ -3406,6 +3427,8 @@ ngx_http_set_lingering_close(ngx_http_re
return;
}

+ ngx_add_timer(rev, clcf->lingering_timeout);
+
if (rev->ready) {
ngx_http_lingering_close_handler(rev);
}
diff -r ed17a2a95c8d -r 554c6ae25ffc src/http/ngx_http_request_body.c
--- a/src/http/ngx_http_request_body.c Fri Nov 06 23:44:47 2020 +0300
+++ b/src/http/ngx_http_request_body.c Fri Nov 06 23:44:54 2020 +0300
@@ -674,6 +674,7 @@ ngx_http_discarded_request_body_handler(
if (rc == NGX_OK) {
r->discard_body = 0;
r->lingering_close = 0;
+ r->lingering_time = 0;
ngx_http_finalize_request(r, NGX_DONE);
return;
}
diff -r ed17a2a95c8d -r 554c6ae25ffc src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c Fri Nov 06 23:44:47 2020 +0300
+++ b/src/http/v2/ngx_http_v2.c Fri Nov 06 23:44:54 2020 +0300
@@ -60,7 +60,7 @@ typedef struct {
static void ngx_http_v2_read_handler(ngx_event_t *rev);
static void ngx_http_v2_write_handler(ngx_event_t *wev);
static void ngx_http_v2_handle_connection(ngx_http_v2_connection_t *h2c);
-static void ngx_http_v2_lingering_close(ngx_http_v2_connection_t *h2c);
+static void ngx_http_v2_lingering_close(ngx_connection_t *c);
static void ngx_http_v2_lingering_close_handler(ngx_event_t *rev);

static u_char *ngx_http_v2_state_proxy_protocol(ngx_http_v2_connection_t *h2c,
@@ -664,7 +664,7 @@ ngx_http_v2_handle_connection(ngx_http_v
}

if (h2c->goaway) {
- ngx_http_v2_lingering_close(h2c);
+ ngx_http_v2_lingering_close(c);
return;
}

@@ -703,13 +703,13 @@ ngx_http_v2_handle_connection(ngx_http_v


static void
-ngx_http_v2_lingering_close(ngx_http_v2_connection_t *h2c)
+ngx_http_v2_lingering_close(ngx_connection_t *c)
{
ngx_event_t *rev, *wev;
- ngx_connection_t *c;
+ ngx_http_v2_connection_t *h2c;
ngx_http_core_loc_conf_t *clcf;

- c = h2c->connection;
+ h2c = c->data;

clcf = ngx_http_get_module_loc_conf(h2c->http_connection->conf_ctx,
ngx_http_core_module);
@@ -719,12 +719,34 @@ ngx_http_v2_lingering_close(ngx_http_v2_
return;
}

+ if (h2c->lingering_time == 0) {
+ h2c->lingering_time = ngx_time()
+ + (time_t) (clcf->lingering_time / 1000);
+ }
+
+#if (NGX_HTTP_SSL)
+ if (c->ssl) {
+ ngx_int_t rc;
+
+ rc = ngx_ssl_shutdown(c);
+
+ if (rc == NGX_ERROR) {
+ ngx_http_close_connection(c);
+ return;
+ }
+
+ if (rc == NGX_AGAIN) {
+ c->ssl->handler = ngx_http_v2_lingering_close;
+ return;
+ }
+
+ c->recv = ngx_recv;
+ }
+#endif
+
rev = c->read;
rev->handler = ngx_http_v2_lingering_close_handler;

- h2c->lingering_time = ngx_time() + (time_t) (clcf->lingering_time / 1000);
- ngx_add_timer(rev, clcf->lingering_timeout);
-
if (ngx_handle_read_event(rev, 0) != NGX_OK) {
ngx_http_close_connection(c);
return;
@@ -747,6 +769,8 @@ ngx_http_v2_lingering_close(ngx_http_v2_
return;
}

+ ngx_add_timer(rev, clcf->lingering_timeout);
+
if (rev->ready) {
ngx_http_v2_lingering_close_handler(rev);
}
@@ -4757,7 +4781,7 @@ done:
return;
}

- ngx_http_v2_lingering_close(h2c);
+ ngx_http_v2_lingering_close(c);
}


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] SSL: fixed non-working SSL shutdown on lingering close.

ru@nginx.com 96 November 06, 2020 03:46PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 71
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready