[nginx] SSL: disabled UI console prompts from worker processes.

noreply at nginx.com noreply at nginx.com
Mon May 26 13:57:02 UTC 2025 

details:   https://github.com/nginx/nginx/commit/3d5889a3ee41a282bad54d9c0d3662dba9f52c1b
branches:  master
commit:    3d5889a3ee41a282bad54d9c0d3662dba9f52c1b
user:      Aleksei Bavshin <a.bavshin at nginx.com>
date:      Fri, 17 Jan 2025 12:24:08 -0800
description:
SSL: disabled UI console prompts from worker processes.

Certain providers may attempt to reload the key on the first use after a
fork.  Such attempt would require re-prompting the pin, and this time we
are not able to pass the password callback.

While it is addressable with configuration for a specific provider, it would
be prudent to ensure that no such prompts could block worker processes by
setting the default UI method.

UI_null() first appeared in 1.1.1 along with the OSSL_STORE, so it is safe
to assume the same set of guards.

---
 src/event/ngx_event_openssl_cache.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/event/ngx_event_openssl_cache.c b/src/event/ngx_event_openssl_cache.c
index cbb05892f..18efc73d0 100644
--- a/src/event/ngx_event_openssl_cache.c
+++ b/src/event/ngx_event_openssl_cache.c
@@ -122,6 +122,8 @@ static void ngx_ssl_cache_node_insert(ngx_rbtree_node_t *temp,
 static void ngx_ssl_cache_node_free(ngx_rbtree_t *rbtree,
     ngx_ssl_cache_node_t *cn);
 
+static ngx_int_t ngx_openssl_cache_init_worker(ngx_cycle_t *cycle);
+
 
 static ngx_command_t  ngx_openssl_cache_commands[] = {
 
@@ -150,7 +152,7 @@ ngx_module_t  ngx_openssl_cache_module = {
     NGX_CORE_MODULE,                       /* module type */
     NULL,                                  /* init master */
     NULL,                                  /* init module */
-    NULL,                                  /* init process */
+    ngx_openssl_cache_init_worker,         /* init process */
     NULL,                                  /* init thread */
     NULL,                                  /* exit thread */
     NULL,                                  /* exit process */
@@ -1233,3 +1235,20 @@ ngx_ssl_cache_node_insert(ngx_rbtree_node_t *temp,
     node->right = sentinel;
     ngx_rbt_red(node);
 }
+
+
+static ngx_int_t
+ngx_openssl_cache_init_worker(ngx_cycle_t *cycle)
+{
+#ifdef ERR_R_OSSL_STORE_LIB
+
+    if (ngx_process != NGX_PROCESS_WORKER) {
+        return NGX_OK;
+    }
+
+    UI_set_default_method(UI_null());
+
+#endif
+
+    return NGX_OK;
+}

More information about the nginx-devel mailing list