Opened 6 years ago
Last modified 6 years ago
#1617 new enhancement
preread data ignored when SSL is terminated
Reported by: | James Callahan | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.13.x |
Keywords: | Cc: | ||
uname -a: | Linux myhost 4.18.1-arch1-1-ARCH #1 SMP PREEMPT Wed Aug 15 21:11:55 UTC 2018 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: openresty/1.13.6.2 (no pool)
built by gcc 8.2.0 (GCC) built with OpenSSL 1.1.0i 14 Aug 2018 TLS SNI support enabled configure arguments: --prefix=/opt/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.13 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --with-ld-opt=-Wl,-rpath,/opt/openresty/luajit/lib --with-pcre-jit --with-ipv6 --with-http_realip_module --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-stream_ssl_preread_module --with-stream --with-stream_ssl_module --add-module=/home/james/src/stream-lua-nginx-module |
Description
Using e.g. the ssl_preread module in combination with a listen directive that terminates SSL results in discarding the preread data.
I've attached a patch that fixes this by chaining an OpenSSL BIO that first returns any data in the ngx_connection_t's buffer field.
Attachments (2)
Change History (4)
by , 6 years ago
Attachment: | 0001-Log-ignored-data-sitting-in-connection-buffer-when-s.patch added |
---|
by , 6 years ago
Attachment: | 0002-Use-a-chained-BIO-to-return-data-from-c-buffer.patch added |
---|
comment:1 by , 6 years ago
comment:2 by , 6 years ago
What is the reason for having ssl_preread and ssl termination on the same connection? They were never supposed to work simultaneously. If you terminate ssl then you have much more data available than what ssl_preread can give you.
I'm conditionally terminating SSL in my own module.
Such behaviour already exists in e.g. the mail module doing STARTTLS
Note:
See TracTickets
for help on using tickets.
What is the reason for having ssl_preread and ssl termination on the same connection? They were never supposed to work simultaneously. If you terminate ssl then you have much more data available than what ssl_preread can give you.