Opened 7 years ago
Last modified 7 years ago
#1458 new defect
ngx_http_ssl_module http block config bug
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.12.x |
Keywords: | ngx_http_ssl_module | Cc: | gcc, 4.8.3 |
uname -a: | Linux cp01-gaoyan09.epc.baidu.com 2.6.32_1-16-0-0_virtio #1 SMP Thu May 14 15:30:56 CST 2015 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.12.2
built by gcc 4.8.3 (GCC) built with OpenSSL 1.0.0-fips 29 Mar 2010 TLS SNI support enabled configure arguments: --with-http_ssl_module --prefix=/home/work/code/gy/nginx-1.12.2/output/ |
Description
sbin/nginx -p.
nginx: [emerg] BIO_new_file("./conf/./conf/server.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('./conf/./conf/server.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Nginx would not find correct certificate file, when there is two https server in config, and no certificate file in server level, but in http level, with relative path
The function ngx_conf_full_name would change name's data to new value, and config value inheritd from prev level, it would add prefix in first server, and add prefix again in second server.
config:
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# HTTPS server
#
ssl_certificate server.crt;
ssl_certificate_key server.key;
server {
listen 8443 ssl;
server_name localhost;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
server {
listen 8444 ssl;
server_name localhost;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
I have patch to attach to this ticket, use local variable when calling ngx_conf_full_name in ngx_event_openssl.c
Gao Yan
China Baidu
Thx
Attachments (1)
Change History (2)
by , 7 years ago
comment:1 by , 7 years ago
Priority: | critical → minor |
---|
The ngx_conf_full_name()
is expected to produce a full name, with leading /
. As such, using it multiple times should be safe. The problem is relative prefix -p .
you use while starting nginx, which makes ngx_conf_full_name()
unsafe. An obvious workaround would be to use an absolute prefix:
$ nginx -p `pwd`
Note well that such a relative prefix is also unsafe in various other cases - for example, when working_directory
is used in the configuration, it will produce different paths before and after chdir()
, leading to various problems with paths used in both master and worker processes.
As for the patch, I'm not sure introducing local variables everywhere is a good solution.
use local variable when calling ngx_conf_full_name