[nginx] SSL: SSL_CTX_set_tmp_dh() error handling.

Maxim Dounin mdounin at mdounin.ru
Tue Nov 16 14:50:56 UTC 2021


details:   https://hg.nginx.org/nginx/rev/efbcecbe5805
branches:  stable-1.20
changeset: 7959:efbcecbe5805
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Wed Aug 04 21:27:51 2021 +0300
description:
SSL: SSL_CTX_set_tmp_dh() error handling.

For example, it can fail due to weak DH parameters.

diffstat:

 src/event/ngx_event_openssl.c |  8 +++++++-
 1 files changed, 7 insertions(+), 1 deletions(-)

diffs (18 lines):

diff -r 9b72da2b5b57 -r efbcecbe5805 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Tue Aug 03 20:50:30 2021 +0300
+++ b/src/event/ngx_event_openssl.c	Wed Aug 04 21:27:51 2021 +0300
@@ -1376,7 +1376,13 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_
         return NGX_ERROR;
     }
 
-    SSL_CTX_set_tmp_dh(ssl->ctx, dh);
+    if (SSL_CTX_set_tmp_dh(ssl->ctx, dh) != 1) {
+        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+                      "SSL_CTX_set_tmp_dh(\"%s\") failed", file->data);
+        DH_free(dh);
+        BIO_free(bio);
+        return NGX_ERROR;
+    }
 
     DH_free(dh);
     BIO_free(bio);


More information about the nginx-devel mailing list