From 79fcf261d0b50c03ae2780b5588b59ed2eb7ad88 Mon Sep 17 00:00:00 2001 From: Sergey Kandaurov Date: Tue, 8 Dec 2015 16:59:43 +0300 Subject: [PATCH] SSL: fixed possible segfault on renegotiation (ticket #845). Skip SSL_CTX_set_tlsext_servername_callback in case of renegotiation. Do nothing in SNI callback as in this case it will be supplied with request in c->data which isn't expected and doesn't work this way. This was broken by b40af2fd1c16 (1.9.6) with OpenSSL master branch and LibreSSL. --- src/http/ngx_http_request.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index b68a13d3a..99e932509 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -837,6 +837,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) c = ngx_ssl_get_connection(ssl_conn); + if (c->ssl->renegotiation) { + return SSL_TLSEXT_ERR_NOACK; + } + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL server name: \"%s\"", servername);