Muehlenhoff has submitted this change and it was merged. Change subject: Silence openssl shutdown messages ......................................................................
Silence openssl shutdown messages Backport upstream fix 062c189fee20c18fae5ac3716a7379143d64150e which deals with changes in OpenSSL's SSL_shutdown() function during SSL handshakes introduced in 1.0.2f (causing false positive critical errors) Bug: T126616 Change-Id: I7753a6d9a9a3f0016ddb1aec86ad6997c53f820e --- M debian/changelog A debian/patches/SSL-shutdown-fix.patch M debian/patches/series 3 files changed, 47 insertions(+), 0 deletions(-) Approvals: Muehlenhoff: Verified; Looks good to me, approved diff --git a/debian/changelog b/debian/changelog index b8c035e..3b4fbe3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +nginx (1.9.4-1+wmf2) jessie-wikimedia; urgency=medium + + * Backport upstream fix 062c189fee20c18fae5ac3716a7379143d64150e which + deals with changes in OpenSSL's SSL_shutdown() function during SSL + handshakes introduced in 1.0.2f (causing false positive critical errors) + Bug: T126616 + + -- Moritz Muehlenhoff <[email protected]> Mon, 22 Feb 2016 14:12:37 +0000 + nginx (1.9.4-1+wmf1) jessie-wikimedia; urgency=medium * multicert + libssl work moved forward from 1.9.3-1+wmf2 diff --git a/debian/patches/SSL-shutdown-fix.patch b/debian/patches/SSL-shutdown-fix.patch new file mode 100644 index 0000000..c213631 --- /dev/null +++ b/debian/patches/SSL-shutdown-fix.patch @@ -0,0 +1,37 @@ + +# HG changeset patch +# User Maxim Dounin <[email protected]> +# Date 1455892050 -10800 +# Node ID 062c189fee20c18fae5ac3716a7379143d64150e +# Parent d194cad6dd3a0584012ec37b9e883b489d17e96b +SSL: avoid calling SSL_shutdown() during handshake (ticket #901). + +This fixes "called a function you should not call" and +"shutdown while in init" errors as observed with OpenSSL 1.0.2f +due to changes in how OpenSSL handles SSL_shutdown() during +SSL handshakes. + +diff -r d194cad6dd3a -r 062c189fee20 src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c Fri Feb 19 17:27:23 2016 +0300 ++++ b/src/event/ngx_event_openssl.c Fri Feb 19 17:27:30 2016 +0300 +@@ -1767,6 +1767,19 @@ + int n, sslerr, mode; + ngx_err_t err; + ++ if (SSL_in_init(c->ssl->connection)) { ++ /* ++ * OpenSSL 1.0.2f complains if SSL_shutdown() is called during ++ * an SSL handshake, while previous versions always return 0. ++ * Avoid calling SSL_shutdown() if handshake wasn't completed. ++ */ ++ ++ SSL_free(c->ssl->connection); ++ c->ssl = NULL; ++ ++ return NGX_OK; ++ } ++ + if (c->timedout) { + mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; + SSL_set_quiet_shutdown(c->ssl->connection, 1); + diff --git a/debian/patches/series b/debian/patches/series index c447936..275bc4e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ 1005-multicert-modules.patch # 1006 is a local cargo-cult of 1005's changes into the newer stream modules 1006-multicert-stream-modules.patch +SSL-shutdown-fix.patch -- To view, visit https://gerrit.wikimedia.org/r/272696 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7753a6d9a9a3f0016ddb1aec86ad6997c53f820e Gerrit-PatchSet: 1 Gerrit-Project: operations/software/nginx Gerrit-Branch: wmf-1.9.4-1 Gerrit-Owner: Muehlenhoff <[email protected]> Gerrit-Reviewer: Muehlenhoff <[email protected]> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
