Mercurial > hg > nginx-vendor-current

comparison src/event/ngx_event_openssl.c @ 542:2b9e388c61f1 NGINX_0_8_23

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 0.8.23 *) Security: now SSL/TLS renegotiation is disabled. Thanks to Maxim Dounin. *) Bugfix: listen unix domain socket did not inherit while online upgrade. *) Bugfix: the "unix:" parameter of the "set_real_ip_from" directive did not without yet another directive with any IP address. *) Bugfix: segmentation fault and infinite looping in resolver. *) Bugfix: in resolver. Thanks to Artem Bokhan.
author Igor Sysoev <http://sysoev.ru>
date Wed, 11 Nov 2009 00:00:00 +0300
parents c04fa65fe604
children 43e02819c5cf
comparison
equal deleted inserted replaced
541:8da5668048b4 542:2b9e388c61f1
13 ngx_uint_t engine; /* unsigned engine:1; */ 13 ngx_uint_t engine; /* unsigned engine:1; */
14 } ngx_openssl_conf_t; 14 } ngx_openssl_conf_t;
15 15
16 16
17 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); 17 static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
18 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
19 int ret);
18 static void ngx_ssl_handshake_handler(ngx_event_t *ev); 20 static void ngx_ssl_handshake_handler(ngx_event_t *ev);
19 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); 21 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
20 static void ngx_ssl_write_handler(ngx_event_t *wev); 22 static void ngx_ssl_write_handler(ngx_event_t *wev);
21 static void ngx_ssl_read_handler(ngx_event_t *rev); 23 static void ngx_ssl_read_handler(ngx_event_t *rev);
22 static void ngx_ssl_shutdown_handler(ngx_event_t *ev); 24 static void ngx_ssl_shutdown_handler(ngx_event_t *ev);
173 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); 175 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]);
174 } 176 }
175 177
176 SSL_CTX_set_read_ahead(ssl->ctx, 1); 178 SSL_CTX_set_read_ahead(ssl->ctx, 1);
177 179
180 SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
181
178 return NGX_OK; 182 return NGX_OK;
179 } 183 }
180 184
181 185
182 ngx_int_t 186 ngx_int_t
345 OPENSSL_free(issuer); 349 OPENSSL_free(issuer);
346 } 350 }
347 #endif 351 #endif
348 352
349 return 1; 353 return 1;
354 }
355
356
357 static void
358 ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret)
359 {
360 ngx_connection_t *c;
361
362 if (where & SSL_CB_HANDSHAKE_START) {
363 c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn);
364
365 if (c->ssl->handshaked) {
366 c->ssl->renegotiation = 1;
367 ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation");
368 }
369 }
350 } 370 }
351 371
352 372
353 ngx_int_t 373 ngx_int_t
354 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl) 374 ngx_ssl_generate_rsa512_key(ngx_ssl_t *ssl)
585 c->recv = ngx_ssl_recv; 605 c->recv = ngx_ssl_recv;
586 c->send = ngx_ssl_write; 606 c->send = ngx_ssl_write;
587 c->recv_chain = ngx_ssl_recv_chain; 607 c->recv_chain = ngx_ssl_recv_chain;
588 c->send_chain = ngx_ssl_send_chain; 608 c->send_chain = ngx_ssl_send_chain;
589 609
610 /* initial handshake done, disable renegotiation (CVE-2009-3555) */
611 if (c->ssl->connection->s3) {
612 c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
613 }
614
590 return NGX_OK; 615 return NGX_OK;
591 } 616 }
592 617
593 sslerr = SSL_get_error(c->ssl->connection, n); 618 sslerr = SSL_get_error(c->ssl->connection, n);
594 619
786 static ngx_int_t 811 static ngx_int_t
787 ngx_ssl_handle_recv(ngx_connection_t *c, int n) 812 ngx_ssl_handle_recv(ngx_connection_t *c, int n)
788 { 813 {
789 int sslerr; 814 int sslerr;
790 ngx_err_t err; 815 ngx_err_t err;
816
817 if (c->ssl->renegotiation) {
818 /*
819 * disable renegotiation (CVE-2009-3555):
820 * OpenSSL (at least up to 0.9.8l) does not handle disabled
821 * renegotiation gracefully, so drop connection here
822 */
823
824 ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled");
825
826 c->ssl->no_wait_shutdown = 1;
827 c->ssl->no_send_shutdown = 1;
828
829 return NGX_ERROR;
830 }
791 831
792 if (n > 0) { 832 if (n > 0) {
793 833
794 if (c->ssl->saved_write_handler) { 834 if (c->ssl->saved_write_handler) {
795 835