-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bugfix: a segmentation fault might occur when SSL renegotiation happens #1355
base: master
Are you sure you want to change the base?
bugfix: a segmentation fault might occur when SSL renegotiation happens #1355
Conversation
AFAIK, server side SSL renegotiation is disable in Nginx. |
@spacewander The usage of I don't know what is your new plan for compatible with the Nginx 1.15.x series, if there is no such plan, maybe it's better to fixup this? |
Why not backport the patch to the Nginx older than |
@spacewander The purpose is not "work around a fixed bug" but solves the segmentation fault problem. Of course put the patch for old Nginx is also ok. |
@tokers |
src/ngx_http_lua_ssl_certby.c
Outdated
@@ -201,6 +201,10 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data) | |||
|
|||
c = ngx_ssl_get_connection(ssl_conn); | |||
|
|||
if (c->ssl->renegotiation) { | |||
return 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMHO, we should return -1
and log with error message.
In the ideal world, in which Nginx and OpenSSL work perfectly, server side renegotiation is disable.
Also, skip the ssl_cert_by_lua
phase and use the dummy ssl certificate is not always expected in the renegotiation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why should we return -1
? -1
represents the current stage is still in progress.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tokers
My bad. Yes, it should return 0
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@spacewander
I have updated this change.
Okay, I think we can check the Nginx version number and the |
@tokers Is it possible to add a test case to cover this? |
It seems difficult for me, I don't know how to manipulate Test::Nginx to perform the SSL renegotiation. |
@tokers |
@spacewander |
Please see #1354 for more details. Since it is tough to distinguish whether current connection is upgraded to HTTP/2 in the ngx_http_lua_ssl_cert_handler context. This PR just returns 0 (marks failed) when SSL renegotiation happens. Nginx already prohibited the SSL renegotiation, so it is safe.
@agentzh @spacewander test was added. This problem only occurs when OpenSSL version is between |
This pull request is now in conflict :( |
This pull request is now in conflict :( |
This pull request is now in conflict :( |
This pull request is now in conflict :( |
This pull request is now in conflict :( |
Please see #1354 for more details.
Since it is tough to distinguish whether current connection is upgraded
to HTTP/2 in the ngx_http_lua_ssl_cert_handler context. This PR just
returns 0 (marks failed) when SSL renegotiation happens. Nginx already
prohibited the SSL renegotiation, so it is safe.
I hereby granted the copyright of the changes in this pull request
to the authors of this lua-nginx-module project.