Mercurial > hg > nginx-quic
view src/mail/ngx_mail_pop3_module.h @ 7367:bf1ac3dc1e68
SSL: fixed segfault on renegotiation (ticket #1646).
In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled
if SSL_OP_NO_RENEGOTIATION is available. But since SSL_OP_NO_RENEGOTIATION
is only set on a connection, not in an SSL context, SSL_clear_option()
removed it as long as a matching virtual server was found. This resulted
in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8),
affecting nginx built with OpenSSL 1.1.0h or higher.
To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in
ngx_http_ssl_servername() after adjusting options. Additionally, instead
of c->ssl->renegotiation we now check c->ssl->handshaked, which seems
to be a more correct flag to test, and will prevent the segmentation fault
from happening even if SSL_OP_NO_RENEGOTIATION is not working.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 02 Oct 2018 17:46:18 +0300 |
parents | d620f497c50f |
children |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #ifndef _NGX_MAIL_POP3_MODULE_H_INCLUDED_ #define _NGX_MAIL_POP3_MODULE_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> #include <ngx_mail.h> typedef struct { ngx_str_t capability; ngx_str_t starttls_capability; ngx_str_t starttls_only_capability; ngx_str_t auth_capability; ngx_uint_t auth_methods; ngx_array_t capabilities; } ngx_mail_pop3_srv_conf_t; void ngx_mail_pop3_init_session(ngx_mail_session_t *s, ngx_connection_t *c); void ngx_mail_pop3_init_protocol(ngx_event_t *rev); void ngx_mail_pop3_auth_state(ngx_event_t *rev); ngx_int_t ngx_mail_pop3_parse_command(ngx_mail_session_t *s); extern ngx_module_t ngx_mail_pop3_module; #endif /* _NGX_MAIL_POP3_MODULE_H_INCLUDED_ */