IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-19 05:33:52 -06:00
Code Issues Packages Projects Releases Wiki Activity

OCSP stapling: fixed segfault with dynamic certificate loading.

Browse Source 
If OCSP stapling was enabled with dynamic certificate loading, with some
OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p,
1.1.0i, 1.1.1) a segmentation fault might happen.

The reason is that during an abbreviated handshake the certificate
callback is not called, but the certificate status callback was called
(https://github.com/openssl/openssl/issues/1662), leading to NULL being
returned from SSL_get_certificate().

Fix is to explicitly check SSL_get_certificate() result.
This commit is contained in:
Maxim Dounin 2019-04-15 19:13:09 +03:00
parent aaa1a57060
commit 5784889fb9
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/event/ngx_event_openssl_stapling.c
View File

@ -511,6 +511,11 @@ ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, void *data)
rc = SSL_TLSEXT_ERR_NOACK; rc = SSL_TLSEXT_ERR_NOACK;
cert = SSL_get_certificate(ssl_conn); cert = SSL_get_certificate(ssl_conn);
if (cert == NULL) {
return rc;
}
staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); staple = X509_get_ex_data(cert, ngx_ssl_stapling_index);
if (staple == NULL) { if (staple == NULL) {