Mercurial > hg > nginx
changeset 7493:dbebbb25ae92
OCSP stapling: fixed segfault with dynamic certificate loading.
If OCSP stapling was enabled with dynamic certificate loading, with some
OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p,
1.1.0i, 1.1.1) a segmentation fault might happen.
The reason is that during an abbreviated handshake the certificate
callback is not called, but the certificate status callback was called
(https://github.com/openssl/openssl/issues/1662), leading to NULL being
returned from SSL_get_certificate().
Fix is to explicitly check SSL_get_certificate() result.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 15 Apr 2019 19:13:09 +0300 |
parents | ce9942d4df55 |
children | a42a6dfeb01a |
files | src/event/ngx_event_openssl_stapling.c |
diffstat | 1 files changed, 5 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/ngx_event_openssl_stapling.c Mon Apr 15 19:13:06 2019 +0300 +++ b/src/event/ngx_event_openssl_stapling.c Mon Apr 15 19:13:09 2019 +0300 @@ -511,6 +511,11 @@ rc = SSL_TLSEXT_ERR_NOACK; cert = SSL_get_certificate(ssl_conn); + + if (cert == NULL) { + return rc; + } + staple = X509_get_ex_data(cert, ngx_ssl_stapling_index); if (staple == NULL) {