# HG changeset patch # User Igor Sysoev # Date 1209894479 0 # Node ID 7cef148d87a051e7cc773fb507e05acd1de4a51c # Parent c7757ce0ae973ab86f9c980deb99ecf68b314a6e r1862, r1866, r1869, r1874 merge: *) revert SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER, removed in r1852 *) fix bogus crit log message "SSL_shutdown() failed" introduced in r1852 *) pull all errors diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -187,6 +187,13 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_ SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); } + /* + * we need this option because in ngx_ssl_send_chain() + * we may switch to a buffered write and may copy leftover part of + * previously unbuffered data to our internal buffer + */ + SSL_CTX_set_mode(ssl->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + SSL_CTX_set_read_ahead(ssl->ctx, 1); return NGX_OK; @@ -1000,17 +1007,14 @@ ngx_ssl_shutdown(ngx_connection_t *c) /* SSL_shutdown() never return -1, on error it return 0 */ - if (n != 1) { + if (n != 1 && ERR_peek_error()) { sslerr = SSL_get_error(c->ssl->connection, n); ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); } - if (n == 1 - || sslerr == SSL_ERROR_ZERO_RETURN - || (sslerr == 0 && c->timedout)) - { + if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) { SSL_free(c->ssl->connection); c->ssl = NULL; @@ -1113,18 +1117,21 @@ ngx_ssl_connection_error(ngx_connection_ static void ngx_ssl_clear_error(ngx_log_t *log) { - if (ERR_peek_error()) { + while (ERR_peek_error()) { ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); } + + ERR_clear_error(); } void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) { - u_long n; - va_list args; - u_char errstr[NGX_MAX_CONF_ERRSTR], *p, *last; + u_long n; + va_list args; + u_char *p, *last; + u_char errstr[NGX_MAX_CONF_ERRSTR]; last = errstr + NGX_MAX_CONF_ERRSTR; @@ -1134,7 +1141,7 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_ p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); - while (p < last) { + for ( ;; ) { n = ERR_get_error(); @@ -1142,6 +1149,10 @@ ngx_ssl_error(ngx_uint_t level, ngx_log_ break; } + if (p >= last) { + continue; + } + *p++ = ' '; ERR_error_string_n(n, (char *) p, last - p);