bugfix: applied a patch to the nginx core to ensure the ssl handshake procedure in ngx_proxy is always protected by a timer for timeout errors. see http://mailman.nginx.org/pipermail/nginx-devel/2014-July/005627.html
This commit is contained in:
parent
cc4a307f0e
commit
f26ae39115
|
@ -0,0 +1,23 @@
|
||||||
|
# HG changeset patch
|
||||||
|
# User Yichun Zhang <agentzh@gmail.com>
|
||||||
|
# Date 1406068295 25200
|
||||||
|
# Tue Jul 22 15:31:35 2014 -0700
|
||||||
|
# Node ID 1db962fc3522ce61313b684ca8251a6462992d40
|
||||||
|
# Parent 93614769dd4b6df8844c3c43c6a0b3f83bfa6746
|
||||||
|
Proxy: added timeout protection to SSL handshake.
|
||||||
|
|
||||||
|
Previously, proxy relied on the write event timer created when connect()
|
||||||
|
could not complete immediately to protect SSL handshake timeouts. But when
|
||||||
|
connect() can complete in a single run, there is no timer protection at all.
|
||||||
|
|
||||||
|
diff -r 93614769dd4b -r 1db962fc3522 src/http/ngx_http_upstream.c
|
||||||
|
--- a/src/http/ngx_http_upstream.c Sun May 11 21:56:07 2014 -0700
|
||||||
|
+++ b/src/http/ngx_http_upstream.c Tue Jul 22 15:31:35 2014 -0700
|
||||||
|
@@ -1387,6 +1387,7 @@ ngx_http_upstream_ssl_init_connection(ng
|
||||||
|
rc = ngx_ssl_handshake(c);
|
||||||
|
|
||||||
|
if (rc == NGX_AGAIN) {
|
||||||
|
+ ngx_add_timer(c->write, u->conf->connect_timeout);
|
||||||
|
c->ssl->handler = ngx_http_upstream_ssl_handshake;
|
||||||
|
return;
|
||||||
|
}
|
|
@ -216,6 +216,10 @@ echo "$info_txt applying the cache_manager_exit patch for nginx $ver"
|
||||||
patch -p1 < $root/patches/nginx-$ver-cache_manager_exit.patch || exit 1
|
patch -p1 < $root/patches/nginx-$ver-cache_manager_exit.patch || exit 1
|
||||||
echo
|
echo
|
||||||
|
|
||||||
|
echo "$info_txt applying the proxy_ssl_handshake_timer patch for nginx $ver"
|
||||||
|
patch -p1 < $root/patches/nginx-$ver-proxy_ssl_handshake_timer.patch || exit 1
|
||||||
|
echo
|
||||||
|
|
||||||
answer=`$root/util/ver-ge "$main_ver" 1.4.4`
|
answer=`$root/util/ver-ge "$main_ver" 1.4.4`
|
||||||
if [ "$answer" = "N" ]; then
|
if [ "$answer" = "N" ]; then
|
||||||
echo "$info_txt applying the CVE-2013-4547 patch for nginx $ver"
|
echo "$info_txt applying the CVE-2013-4547 patch for nginx $ver"
|
||||||
|
|
Loading…
Reference in New Issue