diff options
author | Max Romanov <max.romanov@nginx.com> | 2021-07-01 13:56:40 +0300 |
---|---|---|
committer | Max Romanov <max.romanov@nginx.com> | 2021-07-01 13:56:40 +0300 |
commit | cfba69781a18407d5c2020c4e3f3d4fc175a6127 (patch) | |
tree | 11c007046bdff175358fb4d9b3175d28249ac6bf | |
parent | c16123e7493118dad698ccac7e56bb475bac7def (diff) | |
download | unit-cfba69781a18407d5c2020c4e3f3d4fc175a6127.tar.gz unit-cfba69781a18407d5c2020c4e3f3d4fc175a6127.tar.bz2 |
Fixing multiple TLS-enabled listeners initialization.
Because of the incorrect 'last' field assignment, multiple listeners with
a TLS certificate did not initialize properly, which caused a router crash
while establishing a connection.
Test with multiple TLS listeners added.
The issue was introduced in the c548e46fe516 commit.
This closes #561 issue on GitHub.
Diffstat (limited to '')
-rw-r--r-- | docs/changes.xml | 7 | ||||
-rw-r--r-- | src/nxt_router.c | 11 | ||||
-rw-r--r-- | test/test_tls.py | 13 |
3 files changed, 25 insertions, 6 deletions
diff --git a/docs/changes.xml b/docs/changes.xml index 51a519f0..ec8d4981 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -44,6 +44,13 @@ Initial release of Java 17 module for NGINX Unit. </para> </change> +<change type="bugfix"> +<para> +the router process could crash on TLS connection open when multiple listeners +with TLS certificate configured; the bug had appeared in 1.23.0. +</para> +</change> + </changes> diff --git a/src/nxt_router.c b/src/nxt_router.c index 015ae226..26b846b0 100644 --- a/src/nxt_router.c +++ b/src/nxt_router.c @@ -124,7 +124,7 @@ static void nxt_router_tls_rpc_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg, void *data); static nxt_int_t nxt_router_conf_tls_insert(nxt_router_temp_conf_t *tmcf, nxt_conf_value_t *value, nxt_socket_conf_t *skcf, - nxt_conf_value_t * conf_cmds); + nxt_conf_value_t * conf_cmds, nxt_bool_t last); #endif static void nxt_router_app_rpc_create(nxt_task_t *task, nxt_router_temp_conf_t *tmcf, nxt_app_t *app); @@ -956,8 +956,6 @@ nxt_router_conf_apply(nxt_task_t *task, void *obj, void *data) tls = nxt_queue_link_data(qlk, nxt_router_tlssock_t, link); - tls->last = nxt_queue_is_empty(&tmcf->tls); - nxt_cert_store_get(task, &tls->name, tmcf->mem_pool, nxt_router_tls_rpc_handler, tls); return; @@ -1752,7 +1750,7 @@ nxt_router_conf_create(nxt_task_t *task, nxt_router_temp_conf_t *tmcf, nxt_assert(value != NULL); ret = nxt_router_conf_tls_insert(tmcf, value, skcf, - conf_cmds); + conf_cmds, i == 0); if (nxt_slow_path(ret != NXT_OK)) { goto fail; } @@ -1761,7 +1759,7 @@ nxt_router_conf_create(nxt_task_t *task, nxt_router_temp_conf_t *tmcf, } else { /* NXT_CONF_STRING */ ret = nxt_router_conf_tls_insert(tmcf, certificate, skcf, - conf_cmds); + conf_cmds, 1); if (nxt_slow_path(ret != NXT_OK)) { goto fail; } @@ -1856,7 +1854,7 @@ fail: static nxt_int_t nxt_router_conf_tls_insert(nxt_router_temp_conf_t *tmcf, nxt_conf_value_t *value, nxt_socket_conf_t *skcf, - nxt_conf_value_t *conf_cmds) + nxt_conf_value_t *conf_cmds, nxt_bool_t last) { nxt_router_tlssock_t *tls; @@ -1868,6 +1866,7 @@ nxt_router_conf_tls_insert(nxt_router_temp_conf_t *tmcf, tls->socket_conf = skcf; tls->conf_cmds = conf_cmds; tls->temp_conf = tmcf; + tls->last = last; nxt_conf_get_string(value, &tls->name); nxt_queue_insert_tail(&tmcf->tls, &tls->link); diff --git a/test/test_tls.py b/test/test_tls.py index 0cfeaded..546f0f89 100644 --- a/test/test_tls.py +++ b/test/test_tls.py @@ -665,3 +665,16 @@ basicConstraints = critical,CA:TRUE""" ) assert res['status'] == 200, 'status ok' assert res['body'] == filename + data + + def test_tls_multi_listener(self): + self.load('empty') + + self.certificate() + + self.add_tls() + self.add_tls(port=7081) + + assert self.get_ssl()['status'] == 200, 'listener #1' + + assert self.get_ssl(port=7081)['status'] == 200, 'listener #2' + |