Opened 6 years ago

Last modified 6 years ago

#1617 new enhancement

preread data ignored when SSL is terminated

Reported by: James Callahan Owned by:
Priority: minor Milestone:
Component: other Version: 1.13.x
Keywords: Cc:
uname -a: Linux myhost 4.18.1-arch1-1-ARCH #1 SMP PREEMPT Wed Aug 15 21:11:55 UTC 2018 x86_64 GNU/Linux
nginx -V: nginx version: openresty/1.13.6.2 (no pool)
built by gcc 8.2.0 (GCC)
built with OpenSSL 1.1.0i 14 Aug 2018
TLS SNI support enabled
configure arguments: --prefix=/opt/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.61 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.13 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --with-ld-opt=-Wl,-rpath,/opt/openresty/luajit/lib --with-pcre-jit --with-ipv6 --with-http_realip_module --with-http_ssl_module --with-http_stub_status_module --with-http_v2_module --with-stream_ssl_preread_module --with-stream --with-stream_ssl_module --add-module=/home/james/src/stream-lua-nginx-module

Description

Using e.g. the ssl_preread module in combination with a listen directive that terminates SSL results in discarding the preread data.

I've attached a patch that fixes this by chaining an OpenSSL BIO that first returns any data in the ngx_connection_t's buffer field.

Attachments (2)

0001-Log-ignored-data-sitting-in-connection-buffer-when-s.patch (905 bytes ) - added by James Callahan 6 years ago.
0002-Use-a-chained-BIO-to-return-data-from-c-buffer.patch (4.6 KB ) - added by James Callahan 6 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 by Roman Arutyunyan, 6 years ago

What is the reason for having ssl_preread and ssl termination on the same connection? They were never supposed to work simultaneously. If you terminate ssl then you have much more data available than what ssl_preread can give you.

comment:2 by James Callahan, 6 years ago

What is the reason for having ssl_preread and ssl termination on the same connection? They were never supposed to work simultaneously. If you terminate ssl then you have much more data available than what ssl_preread can give you.

I'm conditionally terminating SSL in my own module.
Such behaviour already exists in e.g. the mail module doing STARTTLS

Note: See TracTickets for help on using tickets.