[nginx] SSL: preserve default server context in connection (tick...
Maxim Dounin
mdounin at mdounin.ru
Mon Oct 19 18:27:45 UTC 2015
details: http://hg.nginx.org/nginx/rev/97f102a13f33
branches:
changeset: 6261:97f102a13f33
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon Oct 19 21:22:38 2015 +0300
description:
SSL: preserve default server context in connection (ticket #235).
This context is needed for shared sessions cache to work in configurations
with multiple virtual servers sharing the same port. Unfortunately, OpenSSL
does not provide an API to access the session context, thus storing it
separately.
In collaboration with Vladimir Homutov.
diffstat:
src/event/ngx_event_openssl.c | 21 ++++++++-------------
src/event/ngx_event_openssl.h | 1 +
2 files changed, 9 insertions(+), 13 deletions(-)
diffs (84 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1038,6 +1038,8 @@ ngx_ssl_create_connection(ngx_ssl_t *ssl
sc->buffer = ((flags & NGX_SSL_BUFFER) != 0);
sc->buffer_size = ssl->buffer_size;
+ sc->session_ctx = ssl->ctx;
+
sc->connection = SSL_new(ssl->ctx);
if (sc->connection == NULL) {
@@ -2305,7 +2307,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_
c = ngx_ssl_get_connection(ssl_conn);
- ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
+ ssl_ctx = c->ssl->session_ctx;
shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index);
cache = shm_zone->data;
@@ -2443,21 +2445,17 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_
ngx_ssl_sess_id_t *sess_id;
ngx_ssl_session_cache_t *cache;
u_char buf[NGX_SSL_MAX_SESSION_SIZE];
-#if (NGX_DEBUG)
ngx_connection_t *c;
-#endif
hash = ngx_crc32_short(id, (size_t) len);
*copy = 0;
-#if (NGX_DEBUG)
c = ngx_ssl_get_connection(ssl_conn);
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0,
"ssl get session: %08XD:%d", hash, len);
-#endif
-
- shm_zone = SSL_CTX_get_ex_data(SSL_get_SSL_CTX(ssl_conn),
+
+ shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx,
ngx_ssl_session_cache_index);
cache = shm_zone->data;
@@ -2836,13 +2834,14 @@ ngx_ssl_session_ticket_key_callback(ngx_
SSL_CTX *ssl_ctx;
ngx_uint_t i;
ngx_array_t *keys;
+ ngx_connection_t *c;
ngx_ssl_session_ticket_key_t *key;
#if (NGX_DEBUG)
u_char buf[32];
- ngx_connection_t *c;
#endif
- ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
+ c = ngx_ssl_get_connection(ssl_conn);
+ ssl_ctx = c->ssl->session_ctx;
keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index);
if (keys == NULL) {
@@ -2851,10 +2850,6 @@ ngx_ssl_session_ticket_key_callback(ngx_
key = keys->elts;
-#if (NGX_DEBUG)
- c = ngx_ssl_get_connection(ssl_conn);
-#endif
-
if (enc == 1) {
/* encrypt session ticket */
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -46,6 +46,7 @@ typedef struct {
typedef struct {
ngx_ssl_conn_t *connection;
+ SSL_CTX *session_ctx;
ngx_int_t last;
ngx_buf_t *buf;
More information about the nginx-devel
mailing list