bugfix: applied a patch to the nginx core to ensure the ssl handshake procedure in ngx_proxy is always protected by a timer for timeout errors. see http://mailman.nginx.org/pipermail/nginx-devel/2014-July/005627.html

This commit is contained in:
Yichun Zhang (agentzh) 2014-07-22 17:10:22 -07:00
parent cc4a307f0e
commit f26ae39115
2 changed files with 27 additions and 0 deletions

View File

@ -0,0 +1,23 @@
# HG changeset patch
# User Yichun Zhang <agentzh@gmail.com>
# Date 1406068295 25200
# Tue Jul 22 15:31:35 2014 -0700
# Node ID 1db962fc3522ce61313b684ca8251a6462992d40
# Parent 93614769dd4b6df8844c3c43c6a0b3f83bfa6746
Proxy: added timeout protection to SSL handshake.
Previously, proxy relied on the write event timer created when connect()
could not complete immediately to protect SSL handshake timeouts. But when
connect() can complete in a single run, there is no timer protection at all.
diff -r 93614769dd4b -r 1db962fc3522 src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c Sun May 11 21:56:07 2014 -0700
+++ b/src/http/ngx_http_upstream.c Tue Jul 22 15:31:35 2014 -0700
@@ -1387,6 +1387,7 @@ ngx_http_upstream_ssl_init_connection(ng
rc = ngx_ssl_handshake(c);
if (rc == NGX_AGAIN) {
+ ngx_add_timer(c->write, u->conf->connect_timeout);
c->ssl->handler = ngx_http_upstream_ssl_handshake;
return;
}

View File

@ -216,6 +216,10 @@ echo "$info_txt applying the cache_manager_exit patch for nginx $ver"
patch -p1 < $root/patches/nginx-$ver-cache_manager_exit.patch || exit 1 patch -p1 < $root/patches/nginx-$ver-cache_manager_exit.patch || exit 1
echo echo
echo "$info_txt applying the proxy_ssl_handshake_timer patch for nginx $ver"
patch -p1 < $root/patches/nginx-$ver-proxy_ssl_handshake_timer.patch || exit 1
echo
answer=`$root/util/ver-ge "$main_ver" 1.4.4` answer=`$root/util/ver-ge "$main_ver" 1.4.4`
if [ "$answer" = "N" ]; then if [ "$answer" = "N" ]; then
echo "$info_txt applying the CVE-2013-4547 patch for nginx $ver" echo "$info_txt applying the CVE-2013-4547 patch for nginx $ver"