diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2025-01-08 17:50:33 +0400 |
|---|---|---|
| committer | pluknet <pluknet@nginx.com> | 2025-01-17 04:37:46 +0400 |
| commit | 5d5d9adccfeaff7d5926737ee5dfa43937fe5899 (patch) | |
| tree | dffc4e214497ad560eb317e97be59ac6eac3fac3 /src/event/ngx_event_openssl.h | |
| parent | 454ad0ef33a347eba1a62d18c8fc0498f4dcfd64 (diff) | |
| download | nginx-5d5d9adccfeaff7d5926737ee5dfa43937fe5899.tar.gz nginx-5d5d9adccfeaff7d5926737ee5dfa43937fe5899.tar.bz2 | |
SSL: avoid using mismatched certificate/key cached pairs.
This can happen with certificates and certificate keys specified
with variables due to partial cache update in various scenarios:
- cache expiration with only one element of pair evicted
- on-disk update with non-cacheable encrypted keys
- non-atomic on-disk update
The fix is to retry with fresh data on X509_R_KEY_VALUES_MISMATCH.
Diffstat (limited to 'src/event/ngx_event_openssl.h')
| -rw-r--r-- | src/event/ngx_event_openssl.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index 0713c5671..c9dc50c75 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -206,6 +206,8 @@ typedef struct { #define NGX_SSL_CACHE_CRL 2 #define NGX_SSL_CACHE_CA 3 +#define NGX_SSL_CACHE_INVALIDATE 0x80000000 + ngx_int_t ngx_ssl_init(ngx_log_t *log); ngx_int_t ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data); |