Mercurial > hg > nginx-vendor-0-7
comparison src/event/ngx_event_openssl.c @ 364:a39aab45a53f NGINX_0_6_26
nginx 0.6.26
*) Bugfix: the "proxy_store" and "fastcgi_store" directives did not
check a response length.
*) Bugfix: a segmentation fault occurred in worker process, if big
value was used in a "expires" directive.
Thanks to Joaquin Cuenca Abela.
*) Bugfix: nginx incorrectly detected cache line size on Pentium 4.
Thanks to Gena Makhomed.
*) Bugfix: in proxied or FastCGI subrequests a client original method
was used instead of the GET method.
*) Bugfix: socket leak in HTTPS mode if deferred accept was used.
Thanks to Ben Maurer.
*) Bugfix: nginx issued the bogus error message "SSL_shutdown() failed
(SSL: )"; bug appeared in 0.6.23.
*) Bugfix: in HTTPS mode requests might fail with the "bad write retry"
error; bug appeared in 0.6.23.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Mon, 11 Feb 2008 00:00:00 +0300 |
parents | 2b41fbc2e39e |
children | babd3d9efb62 |
comparison
equal
deleted
inserted
replaced
363:6999caedb665 | 364:a39aab45a53f |
---|---|
185 | 185 |
186 if (ngx_ssl_protocols[protocols >> 1] != 0) { | 186 if (ngx_ssl_protocols[protocols >> 1] != 0) { |
187 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | 187 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); |
188 } | 188 } |
189 | 189 |
190 /* | |
191 * we need this option because in ngx_ssl_send_chain() | |
192 * we may switch to a buffered write and may copy leftover part of | |
193 * previously unbuffered data to our internal buffer | |
194 */ | |
195 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | |
196 | |
190 SSL_CTX_set_read_ahead(ssl->ctx, 1); | 197 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
191 | 198 |
192 return NGX_OK; | 199 return NGX_OK; |
193 } | 200 } |
194 | 201 |
1033 | 1040 |
1034 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); | 1041 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); |
1035 | 1042 |
1036 sslerr = 0; | 1043 sslerr = 0; |
1037 | 1044 |
1038 /* SSL_shutdown() never return -1, on error it return 0 */ | 1045 /* SSL_shutdown() never returns -1, on error it returns 0 */ |
1039 | 1046 |
1040 if (n != 1) { | 1047 if (n != 1 && ERR_peek_error()) { |
1041 sslerr = SSL_get_error(c->ssl->connection, n); | 1048 sslerr = SSL_get_error(c->ssl->connection, n); |
1042 | 1049 |
1043 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, | 1050 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
1044 "SSL_get_error: %d", sslerr); | 1051 "SSL_get_error: %d", sslerr); |
1045 } | 1052 } |
1046 | 1053 |
1047 if (n == 1 | 1054 if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) { |
1048 || sslerr == SSL_ERROR_ZERO_RETURN | |
1049 || (sslerr == 0 && c->timedout)) | |
1050 { | |
1051 SSL_free(c->ssl->connection); | 1055 SSL_free(c->ssl->connection); |
1052 c->ssl = NULL; | 1056 c->ssl = NULL; |
1053 | 1057 |
1054 return NGX_OK; | 1058 return NGX_OK; |
1055 } | 1059 } |
1109 | 1113 |
1110 static void | 1114 static void |
1111 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, | 1115 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, |
1112 char *text) | 1116 char *text) |
1113 { | 1117 { |
1118 int n; | |
1114 ngx_uint_t level; | 1119 ngx_uint_t level; |
1115 | 1120 |
1116 level = NGX_LOG_CRIT; | 1121 level = NGX_LOG_CRIT; |
1117 | 1122 |
1118 if (sslerr == SSL_ERROR_SYSCALL) { | 1123 if (sslerr == SSL_ERROR_SYSCALL) { |
1122 || err == NGX_ENOTCONN | 1127 || err == NGX_ENOTCONN |
1123 #if !(NGX_CRIT_ETIMEDOUT) | 1128 #if !(NGX_CRIT_ETIMEDOUT) |
1124 || err == NGX_ETIMEDOUT | 1129 || err == NGX_ETIMEDOUT |
1125 #endif | 1130 #endif |
1126 || err == NGX_ECONNREFUSED | 1131 || err == NGX_ECONNREFUSED |
1132 || err == NGX_ENETDOWN | |
1133 || err == NGX_ENETUNREACH | |
1134 || err == NGX_EHOSTDOWN | |
1127 || err == NGX_EHOSTUNREACH) | 1135 || err == NGX_EHOSTUNREACH) |
1128 { | 1136 { |
1129 switch (c->log_error) { | 1137 switch (c->log_error) { |
1130 | 1138 |
1131 case NGX_ERROR_IGNORE_ECONNRESET: | 1139 case NGX_ERROR_IGNORE_ECONNRESET: |
1139 | 1147 |
1140 default: | 1148 default: |
1141 break; | 1149 break; |
1142 } | 1150 } |
1143 } | 1151 } |
1152 | |
1153 } else if (sslerr == SSL_ERROR_SSL) { | |
1154 | |
1155 n = ERR_GET_REASON(ERR_peek_error()); | |
1156 | |
1157 /* handshake failures */ | |
1158 if (n == SSL_R_NO_SHARED_CIPHER | |
1159 || n == SSL_R_UNEXPECTED_MESSAGE | |
1160 || n == SSL_R_WRONG_VERSION_NUMBER | |
1161 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ | |
1162 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED | |
1163 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER | |
1164 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA) | |
1165 { | |
1166 switch (c->log_error) { | |
1167 | |
1168 case NGX_ERROR_IGNORE_ECONNRESET: | |
1169 case NGX_ERROR_INFO: | |
1170 level = NGX_LOG_INFO; | |
1171 break; | |
1172 | |
1173 case NGX_ERROR_ERR: | |
1174 level = NGX_LOG_ERR; | |
1175 break; | |
1176 | |
1177 default: | |
1178 break; | |
1179 } | |
1180 } | |
1144 } | 1181 } |
1145 | 1182 |
1146 ngx_ssl_error(level, c->log, err, text); | 1183 ngx_ssl_error(level, c->log, err, text); |
1147 } | 1184 } |
1148 | 1185 |
1149 | 1186 |
1150 static void | 1187 static void |
1151 ngx_ssl_clear_error(ngx_log_t *log) | 1188 ngx_ssl_clear_error(ngx_log_t *log) |
1152 { | 1189 { |
1153 if (ERR_peek_error()) { | 1190 while (ERR_peek_error()) { |
1154 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); | 1191 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); |
1155 } | 1192 } |
1193 | |
1194 ERR_clear_error(); | |
1156 } | 1195 } |
1157 | 1196 |
1158 | 1197 |
1159 void ngx_cdecl | 1198 void ngx_cdecl |
1160 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) | 1199 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) |
1161 { | 1200 { |
1162 u_long n; | 1201 u_long n; |
1163 va_list args; | 1202 va_list args; |
1164 u_char errstr[NGX_MAX_CONF_ERRSTR], *p, *last; | 1203 u_char *p, *last; |
1204 u_char errstr[NGX_MAX_CONF_ERRSTR]; | |
1165 | 1205 |
1166 last = errstr + NGX_MAX_CONF_ERRSTR; | 1206 last = errstr + NGX_MAX_CONF_ERRSTR; |
1167 | 1207 |
1168 va_start(args, fmt); | 1208 va_start(args, fmt); |
1169 p = ngx_vsnprintf(errstr, sizeof(errstr) - 1, fmt, args); | 1209 p = ngx_vsnprintf(errstr, sizeof(errstr) - 1, fmt, args); |
1170 va_end(args); | 1210 va_end(args); |
1171 | 1211 |
1172 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); | 1212 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
1173 | 1213 |
1174 while (p < last) { | 1214 for ( ;; ) { |
1175 | 1215 |
1176 n = ERR_get_error(); | 1216 n = ERR_get_error(); |
1177 | 1217 |
1178 if (n == 0) { | 1218 if (n == 0) { |
1179 break; | 1219 break; |
1220 } | |
1221 | |
1222 if (p >= last) { | |
1223 continue; | |
1180 } | 1224 } |
1181 | 1225 |
1182 *p++ = ' '; | 1226 *p++ = ' '; |
1183 | 1227 |
1184 ERR_error_string_n(n, (char *) p, last - p); | 1228 ERR_error_string_n(n, (char *) p, last - p); |