Mercurial > hg > nginx-quic
comparison src/event/ngx_event_openssl_stapling.c @ 7493:dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
If OCSP stapling was enabled with dynamic certificate loading, with some
OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p,
1.1.0i, 1.1.1) a segmentation fault might happen.
The reason is that during an abbreviated handshake the certificate
callback is not called, but the certificate status callback was called
(https://github.com/openssl/openssl/issues/1662), leading to NULL being
returned from SSL_get_certificate().
Fix is to explicitly check SSL_get_certificate() result.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 15 Apr 2019 19:13:09 +0300 |
parents | edf5cd6c56fa |
children | b99cbafd51da |
comparison
equal
deleted
inserted
replaced
7492:ce9942d4df55 | 7493:dbebbb25ae92 |
---|---|
509 "SSL certificate status callback"); | 509 "SSL certificate status callback"); |
510 | 510 |
511 rc = SSL_TLSEXT_ERR_NOACK; | 511 rc = SSL_TLSEXT_ERR_NOACK; |
512 | 512 |
513 cert = SSL_get_certificate(ssl_conn); | 513 cert = SSL_get_certificate(ssl_conn); |
514 | |
515 if (cert == NULL) { | |
516 return rc; | |
517 } | |
518 | |
514 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); | 519 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
515 | 520 |
516 if (staple == NULL) { | 521 if (staple == NULL) { |
517 return rc; | 522 return rc; |
518 } | 523 } |