From 66d19c1a47cdd0e89a8e402650a301f823371cd8 Mon Sep 17 00:00:00 2001
From: u5surf <u5.horie@gmail.com>
Date: Mon, 24 Feb 2025 15:49:24 +0900
Subject: [PATCH] SSL: Add SSL_CTX_check_private_key in ngx_ssl_certificate.

to resolve the issue which the config test passes unexpectedly
in case of the key and cert is different the classes
(RSA/DSA/ECDSA) in each.
---
 src/event/ngx_event_openssl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 0681ca3a2..2447f5b62 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -553,6 +553,12 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
         EVP_PKEY_free(pkey);
         return NGX_ERROR;
     }
+    if (SSL_CTX_check_private_key(ssl->ctx) == 0) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_check_private_key(\"%s\") failed", key->data);
+        EVP_PKEY_free(pkey);
+        return NGX_ERROR;
+    }
 
     EVP_PKEY_free(pkey);