From f26ae39115edb25d8485e755b561a28c30cf9239 Mon Sep 17 00:00:00 2001 From: "Yichun Zhang (agentzh)" Date: Tue, 22 Jul 2014 17:10:22 -0700 Subject: [PATCH] bugfix: applied a patch to the nginx core to ensure the ssl handshake procedure in ngx_proxy is always protected by a timer for timeout errors. see http://mailman.nginx.org/pipermail/nginx-devel/2014-July/005627.html --- ...ginx-1.7.3-proxy_ssl_handshake_timer.patch | 23 +++++++++++++++++++ util/mirror-tarballs | 4 ++++ 2 files changed, 27 insertions(+) create mode 100644 patches/nginx-1.7.3-proxy_ssl_handshake_timer.patch diff --git a/patches/nginx-1.7.3-proxy_ssl_handshake_timer.patch b/patches/nginx-1.7.3-proxy_ssl_handshake_timer.patch new file mode 100644 index 0000000..4334b8a --- /dev/null +++ b/patches/nginx-1.7.3-proxy_ssl_handshake_timer.patch @@ -0,0 +1,23 @@ +# HG changeset patch +# User Yichun Zhang +# Date 1406068295 25200 +# Tue Jul 22 15:31:35 2014 -0700 +# Node ID 1db962fc3522ce61313b684ca8251a6462992d40 +# Parent 93614769dd4b6df8844c3c43c6a0b3f83bfa6746 +Proxy: added timeout protection to SSL handshake. + +Previously, proxy relied on the write event timer created when connect() +could not complete immediately to protect SSL handshake timeouts. But when +connect() can complete in a single run, there is no timer protection at all. + +diff -r 93614769dd4b -r 1db962fc3522 src/http/ngx_http_upstream.c +--- a/src/http/ngx_http_upstream.c Sun May 11 21:56:07 2014 -0700 ++++ b/src/http/ngx_http_upstream.c Tue Jul 22 15:31:35 2014 -0700 +@@ -1387,6 +1387,7 @@ ngx_http_upstream_ssl_init_connection(ng + rc = ngx_ssl_handshake(c); + + if (rc == NGX_AGAIN) { ++ ngx_add_timer(c->write, u->conf->connect_timeout); + c->ssl->handler = ngx_http_upstream_ssl_handshake; + return; + } diff --git a/util/mirror-tarballs b/util/mirror-tarballs index 70c65af..f44c17f 100755 --- a/util/mirror-tarballs +++ b/util/mirror-tarballs @@ -216,6 +216,10 @@ echo "$info_txt applying the cache_manager_exit patch for nginx $ver" patch -p1 < $root/patches/nginx-$ver-cache_manager_exit.patch || exit 1 echo +echo "$info_txt applying the proxy_ssl_handshake_timer patch for nginx $ver" +patch -p1 < $root/patches/nginx-$ver-proxy_ssl_handshake_timer.patch || exit 1 +echo + answer=`$root/util/ver-ge "$main_ver" 1.4.4` if [ "$answer" = "N" ]; then echo "$info_txt applying the CVE-2013-4547 patch for nginx $ver"