IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

merge r3456, r3458, r3465:

Browse Source 
SSL fixes:

*) decrease SSL handshake error level to info
*) Set SSL session context for "ssl_session_cache none".
   This fixes a bug when client certficate is used and nginx closes connection
   with the message: "SSL_GET_PREV_SESSION:session id context uninitialized".
*) add OpenSSL_add_all_algorithms(), this fixes the error
   "ASN1_item_verify:unknown message digest algorithm" occurred if
   client certificate is signed using sha256WithRSAEncryption
This commit is contained in:
Igor Sysoev 2010-06-07 10:09:14 +00:00
parent 54573bdc1f
commit 49ab49ec55
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/event/ngx_event_openssl.c
View File

@ -106,6 +106,8 @@ ngx_ssl_init(ngx_log_t *log)
ENGINE_load_builtin_engines(); ENGINE_load_builtin_engines();
OpenSSL_add_all_algorithms();
ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
if (ngx_ssl_connection_index == -1) { if (ngx_ssl_connection_index == -1) {
@ -1308,10 +1310,14 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
/* handshake failures */ /* handshake failures */
if (n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ if (n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
|| n == SSL_R_LENGTH_MISMATCH /* 159 */
|| n == SSL_R_NO_CIPHERS_PASSED /* 182 */ || n == SSL_R_NO_CIPHERS_PASSED /* 182 */
|| n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
|| n == SSL_R_NO_SHARED_CIPHER /* 193 */ || n == SSL_R_NO_SHARED_CIPHER /* 193 */
|| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
|| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
|| n == SSL_R_UNEXPECTED_RECORD /* 245 */ || n == SSL_R_UNEXPECTED_RECORD /* 245 */
|| n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
|| n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
|| n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
|| n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
@ -1424,6 +1430,8 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
return NGX_OK; return NGX_OK;
} }
SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { if (builtin_session_cache == NGX_SSL_NONE_SCACHE) {
/* /*
@ -1455,8 +1463,6 @@ ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode);
SSL_CTX_set_session_id_context(ssl->ctx, sess_ctx->data, sess_ctx->len);
if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) {
if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) {
@ -2311,5 +2317,6 @@ ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
static void static void
ngx_openssl_exit(ngx_cycle_t *cycle) ngx_openssl_exit(ngx_cycle_t *cycle)
{ {
EVP_cleanup();
ENGINE_cleanup(); ENGINE_cleanup();
} }

1
src/event/ngx_event_openssl.h
View File

@ -15,6 +15,7 @@
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/conf.h> #include <openssl/conf.h>
#include <openssl/engine.h> #include <openssl/engine.h>
#include <openssl/evp.h>
#define NGX_SSL_NAME "OpenSSL" #define NGX_SSL_NAME "OpenSSL"