From 9e834398de906bea23c8668bd8d78c36c453224a Mon Sep 17 00:00:00 2001 From: spacewander Date: Wed, 10 Apr 2019 11:33:55 +0800 Subject: [PATCH] feature: updated the NGINX patches for async SSL session fetching to support OpenSSL 1.1.1. The patch was also renamed from `ssl_pending_session.patch` to `ssl_sess_cb_yield.patch` (similarly to the existing `ssl_cert_cb_yield.patch` one). Signed-off-by: Thibault Charbonnier --- ...h => nginx-1.15.8-ssl_sess_cb_yield.patch} | 20 ++++++++++++++++++- util/mirror-tarballs | 13 +++++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) rename patches/{nginx-1.15.8-ssl_pending_session.patch => nginx-1.15.8-ssl_sess_cb_yield.patch} (50%) diff --git a/patches/nginx-1.15.8-ssl_pending_session.patch b/patches/nginx-1.15.8-ssl_sess_cb_yield.patch similarity index 50% rename from patches/nginx-1.15.8-ssl_pending_session.patch rename to patches/nginx-1.15.8-ssl_sess_cb_yield.patch index 10122f8..e62f451 100644 --- a/patches/nginx-1.15.8-ssl_pending_session.patch +++ b/patches/nginx-1.15.8-ssl_sess_cb_yield.patch @@ -1,6 +1,6 @@ --- nginx-1.15.8/src/event/ngx_event_openssl.c 2016-07-17 19:20:30.411137606 -0700 +++ nginx-1.15.8-patched/src/event/ngx_event_openssl.c 2016-07-19 16:53:35.539768477 -0700 -@@ -1307,7 +1307,12 @@ ngx_ssl_handshake(ngx_connection_t *c) +@@ -1581,7 +1581,15 @@ ngx_ssl_try_early_data(ngx_connection_t *c) } #if OPENSSL_VERSION_NUMBER >= 0x10002000L @@ -8,9 +8,27 @@ + if (sslerr == SSL_ERROR_WANT_X509_LOOKUP +# ifdef SSL_ERROR_PENDING_SESSION + || sslerr == SSL_ERROR_PENDING_SESSION ++ ++# elif defined(SSL_ERROR_WANT_CLIENT_HELLO_CB) ++ || sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB +# endif + ) + { c->read->handler = ngx_ssl_handshake_handler; c->write->handler = ngx_ssl_handshake_handler; +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h +@@ -64,6 +64,11 @@ + #endif + + ++#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB ++#define HAVE_SSL_CLIENT_HELLO_CB_SUPPORT 1 ++#endif ++ ++ + struct ngx_ssl_s { + SSL_CTX *ctx; + ngx_log_t *log; diff --git a/util/mirror-tarballs b/util/mirror-tarballs index 0b50b7c..9a142cb 100755 --- a/util/mirror-tarballs +++ b/util/mirror-tarballs @@ -414,9 +414,16 @@ echo "$info_txt applying the ssl_cert_cb_yield.patch patch to nginx" patch -p1 < $root/patches/nginx-$main_ver-ssl_cert_cb_yield.patch echo -echo "$info_txt applying the ssl_pending_session.patch patch to nginx" -patch -p1 < $root/patches/nginx-$main_ver-ssl_pending_session.patch -echo +answer=`$root/util/ver-ge "$main_ver" 1.15.8` +if [ "$answer" = "N" ]; then + echo "$info_txt applying the ssl_pending_session.patch patch to nginx" + patch -p1 < $root/patches/nginx-$main_ver-ssl_pending_session.patch + echo +else + echo "$info_txt applying the ssl_sess_cb_yield.patch patch to nginx" + patch -p1 < $root/patches/nginx-$main_ver-ssl_sess_cb_yield.patch + echo +fi echo "$info_txt applying the upstream_timeout_fields patch for nginx" patch -p1 < $root/patches/nginx-$main_ver-upstream_timeout_fields.patch || exit 1