SSL: abort handshake on SSL_set_SSL_CTX() errors.

In rare cases, such as memory allocation failure, SSL_set_SSL_CTX() returns NULL, which could mean that a different SSL configuration has not been set. Note that this new behaviour seemingly originated in OpenSSL-1.1.0 release.
npenin · Sep 24, 2020 · 3bbeb1b · 3bbeb1b
1 parent 6c89d75
commit 3bbeb1b
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
@@ -932,7 +932,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     c->ssl->buffer_size = sscf->buffer_size;
 
     if (sscf->ssl.ctx) {
-        SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);
+        if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
+            *ad = SSL_AD_INTERNAL_ERROR;
+            return SSL_TLSEXT_ERR_ALERT_FATAL;
+        }
 
         /*
          * SSL_set_SSL_CTX() only changes certs as of 1.0.0d