# HG changeset patch # User Maxim Dounin # Date 1538491578 -10800 # Node ID bf1ac3dc1e6856371c60bc5c57084662926dba0e # Parent 7bf3c323cb6e15e73dc612b56ee973d06ab15542 SSL: fixed segfault on renegotiation (ticket #1646). In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled if SSL_OP_NO_RENEGOTIATION is available. But since SSL_OP_NO_RENEGOTIATION is only set on a connection, not in an SSL context, SSL_clear_option() removed it as long as a matching virtual server was found. This resulted in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8), affecting nginx built with OpenSSL 1.1.0h or higher. To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in ngx_http_ssl_servername() after adjusting options. Additionally, instead of c->ssl->renegotiation we now check c->ssl->handshaked, which seems to be a more correct flag to test, and will prevent the segmentation fault from happening even if SSL_OP_NO_RENEGOTIATION is not working. diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -854,7 +854,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t * c = ngx_ssl_get_connection(ssl_conn); - if (c->ssl->renegotiation) { + if (c->ssl->handshaked) { return SSL_TLSEXT_ERR_NOACK; } @@ -919,6 +919,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t * #endif SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx)); + +#ifdef SSL_OP_NO_RENEGOTIATION + SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION); +#endif } return SSL_TLSEXT_ERR_OK;