SSL engine support bug

Marcin Gozdalik gozdal at gmail.com
Thu Feb 12 18:03:16 MSK 2009


Hi

I believe I found a bug in the order of initialization of OpenSSL. The RSA
keys are initialized (RSA_new called) in SSL_CTX_use_certificate_chain_file
which is called from ngx_ssl_certificate which in turn is called from
ngx_conf_parse at  src/core/ngx_conf_file.c:237. The ssl_engine is however
parsed in ngx_openssl_init_conf which is called later. Therefore the created
RSA keys in SSL contexts use the built-in RSA_METHOD and not the one
provided by loaded engine.
I don't have enough knowledge of nginx so I can't propose solution but the
obvious thing would be to change the order of parsing of those directives
(either load the engine earlier or load the SSL certificate and key later).

Best regards

-- 
Marcin Gozdalik <gozdal at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx/attachments/20090212/2490742e/attachment.html>


More information about the nginx mailing list