github.com/openresty
1
0
Fork 0
mirror of https://github.com/openresty/openresty synced 2024-11-09 18:35:51 +01:00
Code Releases Wiki Activity

feature: applied the ssl_cert_cb_yield patch to the NGINX core to allow yielding in OpenSSL's SSL_CTX_set_cert_cb() callbacks (needed by ngx_lua's ssl_certificate_by_lua*, for example).

Browse Source
This commit is contained in:
Yichun Zhang (agentzh) 2016-01-03 10:21:03 -08:00
parent 9cf02ba0c0
commit c0c2f883e9
2 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
patches/nginx-1.9.7-ssl_cert_cb_yield.patch Normal file
View File

@ -0,0 +1,42 @@
# HG changeset patch
# User Yichun Zhang <agentzh@openresty.org>
# Date 1451762084 28800
# Sat Jan 02 11:14:44 2016 -0800
# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd
# Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4
SSL: handled SSL_CTX_set_cert_cb() callback yielding.
OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom
callbacks to serve the SSL certificiates and private keys dynamically
and lazily. The callbacks may yield for nonblocking I/O or sleeping.
Here we added support for such usage in NGINX 3rd-party modules
(like ngx_lua) in NGINX's event handlers for downstream SSL
connections.
diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Dec 17 16:39:15 2015 +0300
+++ b/src/event/ngx_event_openssl.c Sat Jan 02 11:14:44 2016 -0800
@@ -1210,6 +1210,23 @@
return NGX_AGAIN;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
+ c->read->handler = ngx_ssl_handshake_handler;
+ c->write->handler = ngx_ssl_handshake_handler;
+
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_AGAIN;
+ }
+#endif
+
err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
c->ssl->no_wait_shutdown = 1;

4
util/mirror-tarballs
View File

@ -299,6 +299,10 @@ echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"
patch -p1 < $root/patches/nginx-$main_ver-always_enable_cc_feature_tests.patch
echo
echo "$info_txt applying the ssl_cert_cb_yield.patch patch to nginx"
patch -p1 < $root/patches/nginx-$main_ver-ssl_cert_cb_yield.patch
echo
cd .. || exit 1
cp $root/patches/nginx-$main_ver-no_pool.patch ./nginx-no_pool.patch || exit 1