nginx: 4f20c52c5f1b

changeset
raw
browse

help

Mercurial > hg > nginx

changeset 9343:4f20c52c5f1b

Upstream: fixed passwords usage for certificates with variables. SSL certificate passwords are stored separately from the SSL context created for SSL proxying, yet modified when the context is created if certificates with variables are used (to ensure passwords will be available at run time). Optimizations introduced in 8053:9d98d524bd02 (1.23.1) did not take this into account, and might end up using at run time passwords which weren't preserved to be usable at run time, such as in the following configuration: server { proxy_ssl_certificate $crt; proxy_ssl_certificate_key $key; proxy_ssl_password_file foo; location /1/ { proxy_pass https://u; } location /2/ { proxy_pass https://u; } } Fix is to preserve passwords if needed when using an inherited SSL context.

author	Maxim Dounin <mdounin@mdounin.ru>
date	2025年4月15日 02:20:08 +0300
parents	aeaee7ffdb78
children	1fc37359eb2b
files	src/http/modules/ngx_http_grpc_module.c src/http/modules/ngx_http_proxy_module.c src/http/modules/ngx_http_uwsgi_module.c
diffstat	3 files changed, 39 insertions(+), 0 deletions(-) [`+`] [`-`] src/http/modules/ngx_http_grpc_module.c 13 src/http/modules/ngx_http_proxy_module.c 13 src/http/modules/ngx_http_uwsgi_module.c 13

line wrap: on

line diff

--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -4935,6 +4935,19 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
 ngx_pool_cleanup_t *cln;

 if (glcf->upstream.ssl->ctx) {
+
+ if (glcf->upstream.ssl_certificate
+ && glcf->upstream.ssl_certificate->value.len
+ && (glcf->upstream.ssl_certificate->lengths
+ || glcf->upstream.ssl_certificate_key->lengths))
+ {
+ glcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
+ if (glcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
 return NGX_OK;
 }

--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4987,6 +4987,19 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
 ngx_pool_cleanup_t *cln;

 if (plcf->upstream.ssl->ctx) {
+
+ if (plcf->upstream.ssl_certificate
+ && plcf->upstream.ssl_certificate->value.len
+ && (plcf->upstream.ssl_certificate->lengths
+ || plcf->upstream.ssl_certificate_key->lengths))
+ {
+ plcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
+ if (plcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
 return NGX_OK;
 }

--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2519,6 +2519,19 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
 ngx_pool_cleanup_t *cln;

 if (uwcf->upstream.ssl->ctx) {
+
+ if (uwcf->upstream.ssl_certificate
+ && uwcf->upstream.ssl_certificate->value.len
+ && (uwcf->upstream.ssl_certificate->lengths
+ || uwcf->upstream.ssl_certificate_key->lengths))
+ {
+ uwcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
+ if (uwcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
 return NGX_OK;
 }