[nginx] SSL: fixed segfault on renegotiation (ticket #1646).

Maxim Dounin mdounin at mdounin.ru
Tue Oct 2 15:12:52 UTC 2018


details:   http://hg.nginx.org/nginx/rev/bf1ac3dc1e68
branches:  
changeset: 7367:bf1ac3dc1e68
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Tue Oct 02 17:46:18 2018 +0300
description:
SSL: fixed segfault on renegotiation (ticket #1646).

In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled
if SSL_OP_NO_RENEGOTIATION is available.  But since SSL_OP_NO_RENEGOTIATION
is only set on a connection, not in an SSL context, SSL_clear_option()
removed it as long as a matching virtual server was found.  This resulted
in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8),
affecting nginx built with OpenSSL 1.1.0h or higher.

To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in
ngx_http_ssl_servername() after adjusting options.  Additionally, instead
of c->ssl->renegotiation we now check c->ssl->handshaked, which seems
to be a more correct flag to test, and will prevent the segmentation fault
from happening even if SSL_OP_NO_RENEGOTIATION is not working.

diffstat:

 src/http/ngx_http_request.c |  6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diffs (23 lines):

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -854,7 +854,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
 
     c = ngx_ssl_get_connection(ssl_conn);
 
-    if (c->ssl->renegotiation) {
+    if (c->ssl->handshaked) {
         return SSL_TLSEXT_ERR_NOACK;
     }
 
@@ -919,6 +919,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
 #endif
 
         SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx));
+
+#ifdef SSL_OP_NO_RENEGOTIATION
+        SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION);
+#endif
     }
 
     return SSL_TLSEXT_ERR_OK;


More information about the nginx-devel mailing list