From 3efffddd95e564fe10f59e1de45afc2b551a5cba Mon Sep 17 00:00:00 2001
From: Andrey Suvorov <a.suvorov@f5.com>
Date: Wed, 26 May 2021 11:11:58 -0700
Subject: Fixing crash during TLS connection shutdown.

A crash was caused by an incorrect timer handler nxt_h1p_idle_timeout() if
SSL_shutdown() returned SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.

The flag SSL_RECEIVED_SHUTDOWN is used to avoid getting SSL_ERROR_WANT_READ, so
the server won't wait for a close notification from a client.

For SSL_ERROR_WANT_WRITE, a correct timer handler is set up.
---
 src/nxt_tls.h | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src/nxt_tls.h')

diff --git a/src/nxt_tls.h b/src/nxt_tls.h
index c44bfe56..2a29f3ca 100644
--- a/src/nxt_tls.h
+++ b/src/nxt_tls.h
@@ -69,6 +69,8 @@ struct nxt_tls_conf_s {
     char                          *ca_certificate;
 
     size_t                        buffer_size;
+
+    uint8_t                       no_wait_shutdown;  /* 1 bit */
 };
 
 
-- 
cgit 


From 3f7ccf142ff4d1a11b807a344bcb1e3cb6c3284b Mon Sep 17 00:00:00 2001
From: Andrey Suvorov <a.suvorov@f5.com>
Date: Wed, 26 May 2021 11:19:47 -0700
Subject: Enabling SSL_CTX configuration by using SSL_CONF_cmd().

To perform various configuration operations on SSL_CTX, OpenSSL provides
SSL_CONF_cmd().  Specifically, to configure ciphers for a listener,
"CipherString" and "Ciphersuites" file commands are used:
https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html


This feature can be configured in the "tls/conf_commands" section.
---
 src/nxt_tls.h | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src/nxt_tls.h')

diff --git a/src/nxt_tls.h b/src/nxt_tls.h
index 2a29f3ca..63c49ee4 100644
--- a/src/nxt_tls.h
+++ b/src/nxt_tls.h
@@ -8,6 +8,9 @@
 #define _NXT_TLS_H_INCLUDED_
 
 
+#include <nxt_conf.h>
+
+
 /*
  * The SSL/TLS libraries lack vector I/O interface yet add noticeable
  * overhead to each SSL/TLS record so buffering allows to decrease the
@@ -32,6 +35,7 @@ typedef struct {
 
     nxt_int_t                     (*server_init)(nxt_task_t *task,
                                       nxt_tls_conf_t *conf, nxt_mp_t *mp,
+                                      nxt_conf_value_t *conf_cmds,
                                       nxt_bool_t last);
     void                          (*server_free)(nxt_task_t *task,
                                       nxt_tls_conf_t *conf);
@@ -49,7 +53,7 @@ struct nxt_tls_bundle_conf_s {
     void                          *ctx;
 
     nxt_fd_t                      chain_file;
-    nxt_str_t                     *name;
+    nxt_str_t                     name;
 
     nxt_tls_bundle_conf_t         *next;
 };
-- 
cgit