mirror of
https://github.com/openresty/openresty
synced 2024-11-14 08:45:50 +01:00
2e480157a3
Previously, we used the OpenSSL 1.1.1 ClientHello callback to do ssl session fetching non-blockingly. However, this way cannot handle an edge case: the ssl session resumption via session ticket might fail, and the client fallbacks to session ID resumption. The ClientHello callback is run too early to know if the client will fallback to use session ID resumption. Therefore, we have to take back the OpenSSL sess_set_get_cb_yield patch and upgrade it to adapt OpenSSL 1.1.1. Thanks Yongjian Xu and crasyangel for their help. See 08e9e50. Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
42 lines
1.2 KiB
C
42 lines
1.2 KiB
C
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
|
--- a/src/event/ngx_event_openssl.c
|
|
+++ b/src/event/ngx_event_openssl.c
|
|
@@ -1446,7 +1446,12 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
|
}
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
|
- if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) {
|
|
+ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP
|
|
+# ifdef SSL_ERROR_PENDING_SESSION
|
|
+ || sslerr == SSL_ERROR_PENDING_SESSION
|
|
+# endif
|
|
+ )
|
|
+ {
|
|
c->read->handler = ngx_ssl_handshake_handler;
|
|
c->write->handler = ngx_ssl_handshake_handler;
|
|
|
|
@@ -1575,6 +1580,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
|
|
return NGX_AGAIN;
|
|
}
|
|
|
|
+#ifdef SSL_ERROR_PENDING_SESSION
|
|
+ if (sslerr == SSL_ERROR_PENDING_SESSION) {
|
|
+ c->read->handler = ngx_ssl_handshake_handler;
|
|
+ c->write->handler = ngx_ssl_handshake_handler;
|
|
+
|
|
+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
|
|
+ return NGX_ERROR;
|
|
+ }
|
|
+
|
|
+ if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
|
|
+ return NGX_ERROR;
|
|
+ }
|
|
+
|
|
+ return NGX_AGAIN;
|
|
+ }
|
|
+#endif
|
|
+
|
|
err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
|
|
|
|
c->ssl->no_wait_shutdown = 1;
|