[PATCH 1 of 2] Upstream: fixed passwords usage for certificates with variables
Maxim Dounin
mdounin at mdounin.ru
Sun Apr 13 02:16:47 UTC 2025
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1744509644 -10800
# Sun Apr 13 05:00:44 2025 +0300
# Node ID d154c555af30dc07a5a5d9bffa559fb1be0da019
# Parent 8e674d7e1a1ad3648498d0cba2c9b2a9da5d3777
Upstream: fixed passwords usage for certificates with variables.
SSL certificate passwords are stored separately from the SSL context
created for SSL proxying, yet modified when the context is created
if certificates with variables are used (to ensure passwords will be
available at run time). Optimizations introduced in 8053:9d98d524bd02
(1.23.1) did not take this into account, and might end up using at run
time passwords which weren't preserved to be usable at run time, such as
in the following configuration:
server {
proxy_ssl_certificate $crt;
proxy_ssl_certificate_key $key;
proxy_ssl_password_file foo;
location /1/ {
proxy_pass https://u;
}
location /2/ {
proxy_pass https://u;
}
}
Fix is to preserve passwords if needed when using an inherited SSL
context.
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -4935,6 +4935,19 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
ngx_pool_cleanup_t *cln;
if (glcf->upstream.ssl->ctx) {
+
+ if (glcf->upstream.ssl_certificate
+ && glcf->upstream.ssl_certificate->value.len
+ && (glcf->upstream.ssl_certificate->lengths
+ || glcf->upstream.ssl_certificate_key->lengths))
+ {
+ glcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
+ if (glcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
return NGX_OK;
}
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4987,6 +4987,19 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
ngx_pool_cleanup_t *cln;
if (plcf->upstream.ssl->ctx) {
+
+ if (plcf->upstream.ssl_certificate
+ && plcf->upstream.ssl_certificate->value.len
+ && (plcf->upstream.ssl_certificate->lengths
+ || plcf->upstream.ssl_certificate_key->lengths))
+ {
+ plcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
+ if (plcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
return NGX_OK;
}
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2519,6 +2519,19 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
ngx_pool_cleanup_t *cln;
if (uwcf->upstream.ssl->ctx) {
+
+ if (uwcf->upstream.ssl_certificate
+ && uwcf->upstream.ssl_certificate->value.len
+ && (uwcf->upstream.ssl_certificate->lengths
+ || uwcf->upstream.ssl_certificate_key->lengths))
+ {
+ uwcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
+ if (uwcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
return NGX_OK;
}
More information about the nginx-devel
mailing list