Mercurial > hg > nginx
comparison src/event/ngx_event_openssl_stapling.c @ 7493:dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
If OCSP stapling was enabled with dynamic certificate loading, with some
OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p,
1.1.0i, 1.1.1) a segmentation fault might happen.
The reason is that during an abbreviated handshake the certificate
callback is not called, but the certificate status callback was called
(https://github.com/openssl/openssl/issues/1662), leading to NULL being
returned from SSL_get_certificate().
Fix is to explicitly check SSL_get_certificate() result.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 15 Apr 2019 19:13:09 +0300 |
| parents | edf5cd6c56fa |
| children | b99cbafd51da |
comparison
equal
deleted
inserted
replaced
| 7492:ce9942d4df55 | 7493:dbebbb25ae92 |
|---|---|
| 509 "SSL certificate status callback"); | 509 "SSL certificate status callback"); |
| 510 | 510 |
| 511 rc = SSL_TLSEXT_ERR_NOACK; | 511 rc = SSL_TLSEXT_ERR_NOACK; |
| 512 | 512 |
| 513 cert = SSL_get_certificate(ssl_conn); | 513 cert = SSL_get_certificate(ssl_conn); |
| 514 | |
| 515 if (cert == NULL) { | |
| 516 return rc; | |
| 517 } | |
| 518 | |
| 514 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); | 519 staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); |
| 515 | 520 |
| 516 if (staple == NULL) { | 521 if (staple == NULL) { |
| 517 return rc; | 522 return rc; |
| 518 } | 523 } |