mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-07-22 20:38:26 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

QUIC: better approach for premature handshake completion.

Browse Source 
Using SSL_in_init() to inspect a handshake state was replaced with
SSL_is_init_finished().  This represents a more complete fix to the
BoringSSL issue addressed in 22671b37e.

This provides awareness of the early data handshake state when using
OpenSSL 3.5 TLS callbacks in 0-RTT enabled configurations, which, in
particular, is used to avoid premature completion of the initial TLS
handshake, before required client handshake messages are received.

This is a non-functional change when using BoringSSL.  It supersedes
testing non-positive SSL_do_handshake() results in all supported SSL
libraries, hence simplified.

In preparation for using OpenSSL 3.5 TLS callbacks.
This commit is contained in:
Sergey Kandaurov 2025-05-16 01:10:11 +04:00 committed by Roman Arutyunyan
parent bcb9d3fd2c
commit 1d4d2f2c96
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/event/quic/ngx_event_quic_ssl.c
View File

@ -463,7 +463,7 @@ ngx_quic_handshake(ngx_connection_t *c)
} }
} }
if (n <= 0 || SSL_in_init(ssl_conn)) { if (!SSL_is_init_finished(ssl_conn)) {
if (ngx_quic_keys_available(qc->keys, NGX_QUIC_ENCRYPTION_EARLY_DATA, 0) if (ngx_quic_keys_available(qc->keys, NGX_QUIC_ENCRYPTION_EARLY_DATA, 0)
&& qc->client_tp_done) && qc->client_tp_done)
{ {