SSL: avoid reading on pending SSL_write_early_data().
If SSL_write_early_data() returned SSL_ERROR_WANT_WRITE, stop further reading
using a newly introduced c->ssl->write_blocked flag, as otherwise this would
result in SSL error "ssl3_write_bytes:bad length". Eventually, normal reading
will be restored by read event posted from successful SSL_write_early_data().
While here, place "SSL_write_early_data: want write" debug on the path.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index a281fba..37a4b72 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1839,6 +1839,10 @@
buf += 1;
}
+ if (c->ssl->write_blocked) {
+ return NGX_AGAIN;
+ }
+
/*
* SSL_read_early_data() may return data in parts, so try to read
* until SSL_read_early_data() would return no data
@@ -2339,6 +2343,11 @@
ngx_post_event(c->read, &ngx_posted_events);
}
+ if (c->ssl->write_blocked) {
+ c->ssl->write_blocked = 0;
+ ngx_post_event(c->read, &ngx_posted_events);
+ }
+
c->sent += written;
return written;
@@ -2352,6 +2361,9 @@
if (sslerr == SSL_ERROR_WANT_WRITE) {
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+ "SSL_write_early_data: want write");
+
if (c->ssl->saved_read_handler) {
c->read->handler = c->ssl->saved_read_handler;
@@ -2365,6 +2377,14 @@
ngx_post_event(c->read, &ngx_posted_events);
}
+ /*
+ * OpenSSL 1.1.1a fails to handle SSL_read_early_data()
+ * if an SSL_write_early_data() call blocked on writing,
+ * see https://github.com/openssl/openssl/issues/7757
+ */
+
+ c->ssl->write_blocked = 1;
+
c->write->ready = 0;
return NGX_AGAIN;
}
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index abd84cc..9ec001d 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -98,6 +98,7 @@
unsigned try_early_data:1;
unsigned in_early:1;
unsigned early_preread:1;
+ unsigned write_blocked:1;
};