[nginx] SSL: usage of SSL_SESSION_get_time_ex() with OpenSSL 3.3+.
Maxim Dounin
mdounin at mdounin.ru
Thu Jun 5 00:35:57 UTC 2025
details: http://freenginx.org/hg/nginx/rev/ab7fedd48bfe
branches:
changeset: 9377:ab7fedd48bfe
user: Maxim Dounin <mdounin at mdounin.ru>
date: Thu Jun 05 02:52:54 2025 +0300
description:
SSL: usage of SSL_SESSION_get_time_ex() with OpenSSL 3.3+.
In OpenSSL, SSL_SESSION_get_time() and SSL_SESSION_set_time() functions
use "long" to store seconds since the Epoch, which makes these functions
problematic after Y2038 on 32-bit platforms, and, more importantly, on
64-bit platforms with 32-bit long (notably Windows).
Note that there is no such problem in BoringSSL, which uses uint64_t
instead of "long". LibreSSL also uses "long", but it does not support
TLSv1.3 session resumption anyway, hence this is not an issue.
Fix is to use SSL_SESSION_get_time_ex() and SSL_SESSION_set_time_ex()
functions introduced in OpenSSL 3.3 when these are available.
Prodded by MSVC with C4244 warnings (conversion from 'type1' to 'type2',
possible loss of data) enabled.
diffstat:
src/event/ngx_event_openssl.c | 2 +-
src/event/ngx_event_openssl.h | 6 ++++++
2 files changed, 7 insertions(+), 1 deletions(-)
diffs (28 lines):
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1190,7 +1190,7 @@ ngx_ssl_info_callback(const ngx_ssl_conn
} else {
SSL_SESSION_set_time(sess, now);
- SSL_SESSION_set_timeout(sess, timeout - (now - time));
+ SSL_SESSION_set_timeout(sess, (long) (timeout - (now - time)));
}
}
}
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -83,6 +83,12 @@
#endif
+#if (OPENSSL_VERSION_NUMBER > 0x30300000L)
+#define SSL_SESSION_get_time(s) SSL_SESSION_get_time_ex(s)
+#define SSL_SESSION_set_time(s, t) SSL_SESSION_set_time_ex(s, t)
+#endif
+
+
typedef struct ngx_ssl_ocsp_s ngx_ssl_ocsp_t;
More information about the nginx-devel
mailing list