Mercurial > hg > nginx-vendor-current
comparison src/event/ngx_event_openssl.c @ 364:a39aab45a53f NGINX_0_6_26
nginx 0.6.26
*) Bugfix: the "proxy_store" and "fastcgi_store" directives did not
check a response length.
*) Bugfix: a segmentation fault occurred in worker process, if big
value was used in a "expires" directive.
Thanks to Joaquin Cuenca Abela.
*) Bugfix: nginx incorrectly detected cache line size on Pentium 4.
Thanks to Gena Makhomed.
*) Bugfix: in proxied or FastCGI subrequests a client original method
was used instead of the GET method.
*) Bugfix: socket leak in HTTPS mode if deferred accept was used.
Thanks to Ben Maurer.
*) Bugfix: nginx issued the bogus error message "SSL_shutdown() failed
(SSL: )"; bug appeared in 0.6.23.
*) Bugfix: in HTTPS mode requests might fail with the "bad write retry"
error; bug appeared in 0.6.23.
| author | Igor Sysoev <http://sysoev.ru> |
|---|---|
| date | Mon, 11 Feb 2008 00:00:00 +0300 |
| parents | 2b41fbc2e39e |
| children | babd3d9efb62 |
comparison
equal
deleted
inserted
replaced
| 363:6999caedb665 | 364:a39aab45a53f |
|---|---|
| 185 | 185 |
| 186 if (ngx_ssl_protocols[protocols >> 1] != 0) { | 186 if (ngx_ssl_protocols[protocols >> 1] != 0) { |
| 187 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); | 187 SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); |
| 188 } | 188 } |
| 189 | 189 |
| 190 /* | |
| 191 * we need this option because in ngx_ssl_send_chain() | |
| 192 * we may switch to a buffered write and may copy leftover part of | |
| 193 * previously unbuffered data to our internal buffer | |
| 194 */ | |
| 195 SSL_CTX_set_mode(ssl->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | |
| 196 | |
| 190 SSL_CTX_set_read_ahead(ssl->ctx, 1); | 197 SSL_CTX_set_read_ahead(ssl->ctx, 1); |
| 191 | 198 |
| 192 return NGX_OK; | 199 return NGX_OK; |
| 193 } | 200 } |
| 194 | 201 |
| 1033 | 1040 |
| 1034 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); | 1041 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); |
| 1035 | 1042 |
| 1036 sslerr = 0; | 1043 sslerr = 0; |
| 1037 | 1044 |
| 1038 /* SSL_shutdown() never return -1, on error it return 0 */ | 1045 /* SSL_shutdown() never returns -1, on error it returns 0 */ |
| 1039 | 1046 |
| 1040 if (n != 1) { | 1047 if (n != 1 && ERR_peek_error()) { |
| 1041 sslerr = SSL_get_error(c->ssl->connection, n); | 1048 sslerr = SSL_get_error(c->ssl->connection, n); |
| 1042 | 1049 |
| 1043 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, | 1050 ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, |
| 1044 "SSL_get_error: %d", sslerr); | 1051 "SSL_get_error: %d", sslerr); |
| 1045 } | 1052 } |
| 1046 | 1053 |
| 1047 if (n == 1 | 1054 if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) { |
| 1048 || sslerr == SSL_ERROR_ZERO_RETURN | |
| 1049 || (sslerr == 0 && c->timedout)) | |
| 1050 { | |
| 1051 SSL_free(c->ssl->connection); | 1055 SSL_free(c->ssl->connection); |
| 1052 c->ssl = NULL; | 1056 c->ssl = NULL; |
| 1053 | 1057 |
| 1054 return NGX_OK; | 1058 return NGX_OK; |
| 1055 } | 1059 } |
| 1109 | 1113 |
| 1110 static void | 1114 static void |
| 1111 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, | 1115 ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, |
| 1112 char *text) | 1116 char *text) |
| 1113 { | 1117 { |
| 1118 int n; | |
| 1114 ngx_uint_t level; | 1119 ngx_uint_t level; |
| 1115 | 1120 |
| 1116 level = NGX_LOG_CRIT; | 1121 level = NGX_LOG_CRIT; |
| 1117 | 1122 |
| 1118 if (sslerr == SSL_ERROR_SYSCALL) { | 1123 if (sslerr == SSL_ERROR_SYSCALL) { |
| 1122 || err == NGX_ENOTCONN | 1127 || err == NGX_ENOTCONN |
| 1123 #if !(NGX_CRIT_ETIMEDOUT) | 1128 #if !(NGX_CRIT_ETIMEDOUT) |
| 1124 || err == NGX_ETIMEDOUT | 1129 || err == NGX_ETIMEDOUT |
| 1125 #endif | 1130 #endif |
| 1126 || err == NGX_ECONNREFUSED | 1131 || err == NGX_ECONNREFUSED |
| 1132 || err == NGX_ENETDOWN | |
| 1133 || err == NGX_ENETUNREACH | |
| 1134 || err == NGX_EHOSTDOWN | |
| 1127 || err == NGX_EHOSTUNREACH) | 1135 || err == NGX_EHOSTUNREACH) |
| 1128 { | 1136 { |
| 1129 switch (c->log_error) { | 1137 switch (c->log_error) { |
| 1130 | 1138 |
| 1131 case NGX_ERROR_IGNORE_ECONNRESET: | 1139 case NGX_ERROR_IGNORE_ECONNRESET: |
| 1139 | 1147 |
| 1140 default: | 1148 default: |
| 1141 break; | 1149 break; |
| 1142 } | 1150 } |
| 1143 } | 1151 } |
| 1152 | |
| 1153 } else if (sslerr == SSL_ERROR_SSL) { | |
| 1154 | |
| 1155 n = ERR_GET_REASON(ERR_peek_error()); | |
| 1156 | |
| 1157 /* handshake failures */ | |
| 1158 if (n == SSL_R_NO_SHARED_CIPHER | |
| 1159 || n == SSL_R_UNEXPECTED_MESSAGE | |
| 1160 || n == SSL_R_WRONG_VERSION_NUMBER | |
| 1161 || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ | |
| 1162 || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED | |
| 1163 || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER | |
| 1164 || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA) | |
| 1165 { | |
| 1166 switch (c->log_error) { | |
| 1167 | |
| 1168 case NGX_ERROR_IGNORE_ECONNRESET: | |
| 1169 case NGX_ERROR_INFO: | |
| 1170 level = NGX_LOG_INFO; | |
| 1171 break; | |
| 1172 | |
| 1173 case NGX_ERROR_ERR: | |
| 1174 level = NGX_LOG_ERR; | |
| 1175 break; | |
| 1176 | |
| 1177 default: | |
| 1178 break; | |
| 1179 } | |
| 1180 } | |
| 1144 } | 1181 } |
| 1145 | 1182 |
| 1146 ngx_ssl_error(level, c->log, err, text); | 1183 ngx_ssl_error(level, c->log, err, text); |
| 1147 } | 1184 } |
| 1148 | 1185 |
| 1149 | 1186 |
| 1150 static void | 1187 static void |
| 1151 ngx_ssl_clear_error(ngx_log_t *log) | 1188 ngx_ssl_clear_error(ngx_log_t *log) |
| 1152 { | 1189 { |
| 1153 if (ERR_peek_error()) { | 1190 while (ERR_peek_error()) { |
| 1154 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); | 1191 ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); |
| 1155 } | 1192 } |
| 1193 | |
| 1194 ERR_clear_error(); | |
| 1156 } | 1195 } |
| 1157 | 1196 |
| 1158 | 1197 |
| 1159 void ngx_cdecl | 1198 void ngx_cdecl |
| 1160 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) | 1199 ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) |
| 1161 { | 1200 { |
| 1162 u_long n; | 1201 u_long n; |
| 1163 va_list args; | 1202 va_list args; |
| 1164 u_char errstr[NGX_MAX_CONF_ERRSTR], *p, *last; | 1203 u_char *p, *last; |
| 1204 u_char errstr[NGX_MAX_CONF_ERRSTR]; | |
| 1165 | 1205 |
| 1166 last = errstr + NGX_MAX_CONF_ERRSTR; | 1206 last = errstr + NGX_MAX_CONF_ERRSTR; |
| 1167 | 1207 |
| 1168 va_start(args, fmt); | 1208 va_start(args, fmt); |
| 1169 p = ngx_vsnprintf(errstr, sizeof(errstr) - 1, fmt, args); | 1209 p = ngx_vsnprintf(errstr, sizeof(errstr) - 1, fmt, args); |
| 1170 va_end(args); | 1210 va_end(args); |
| 1171 | 1211 |
| 1172 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); | 1212 p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); |
| 1173 | 1213 |
| 1174 while (p < last) { | 1214 for ( ;; ) { |
| 1175 | 1215 |
| 1176 n = ERR_get_error(); | 1216 n = ERR_get_error(); |
| 1177 | 1217 |
| 1178 if (n == 0) { | 1218 if (n == 0) { |
| 1179 break; | 1219 break; |
| 1220 } | |
| 1221 | |
| 1222 if (p >= last) { | |
| 1223 continue; | |
| 1180 } | 1224 } |
| 1181 | 1225 |
| 1182 *p++ = ' '; | 1226 *p++ = ' '; |
| 1183 | 1227 |
| 1184 ERR_error_string_n(n, (char *) p, last - p); | 1228 ERR_error_string_n(n, (char *) p, last - p); |