Opened 5 months ago

Last modified 5 months ago

#1458 new defect

ngx_http_ssl_module http block config bug

Reported by: crasyangel.lhy@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.12.x
Keywords: ngx_http_ssl_module Cc: gcc, 4.8.3
uname -a: Linux cp01-gaoyan09.epc.baidu.com 2.6.32_1-16-0-0_virtio #1 SMP Thu May 14 15:30:56 CST 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.12.2 built by gcc 4.8.3 (GCC) built with OpenSSL 1.0.0-fips 29 Mar 2010 TLS SNI support enabled configure arguments: --with-http_ssl_module --prefix=/home/work/code/gy/nginx-1.12.2/output/

Description

sbin/nginx -p.
nginx: [emerg] BIO_new_file("./conf/./conf/server.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('./conf/./conf/server.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Nginx would not find correct certificate file, when there is two https server in config, and no certificate file in server level, but in http level, with relative path

The function ngx_conf_full_name would change name's data to new value, and config value inheritd from prev level, it would add prefix in first server, and add prefix again in second server.

config:

http {

include mime.types;
default_type application/octet-stream;

sendfile on;
keepalive_timeout 65;

# HTTPS server
#
ssl_certificate server.crt;
ssl_certificate_key server.key;
server {

listen 8443 ssl;
server_name localhost;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {

root html;
index index.html index.htm;

}

}
server {

listen 8444 ssl;
server_name localhost;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {

root html;
index index.html index.htm;

}

}

}

I have patch to attach to this ticket, use local variable when calling ngx_conf_full_name in ngx_event_openssl.c

Gao Yan
China Baidu
Thx

Attachments (1)

1.diff (10.4 KB) - added by crasyangel.lhy@… 5 months ago.
use local variable when calling ngx_conf_full_name

Download all attachments as: .zip

Change History (2)

Changed 5 months ago by crasyangel.lhy@…

use local variable when calling ngx_conf_full_name

comment:1 Changed 5 months ago by mdounin

  • Priority changed from critical to minor

The ngx_conf_full_name() is expected to produce a full name, with leading /. As such, using it multiple times should be safe. The problem is relative prefix -p . you use while starting nginx, which makes ngx_conf_full_name() unsafe. An obvious workaround would be to use an absolute prefix:

$ nginx -p `pwd`

Note well that such a relative prefix is also unsafe in various other cases - for example, when working_directory is used in the configuration, it will produce different paths before and after chdir(), leading to various problems with paths used in both master and worker processes.

As for the patch, I'm not sure introducing local variables everywhere is a good solution.

Note: See TracTickets for help on using tickets.