Mercurial > nginx
changeset 9412:ca1713feedae
QUIC: better approach for premature handshake completion.
Using SSL_in_init() to inspect a handshake state was replaced with
SSL_is_init_finished(). This represents a more complete fix to the
BoringSSL issue addressed in 22671b37e.
This provides awareness of the early data handshake state when using
OpenSSL 3.5 TLS callbacks in 0-RTT enabled configurations, which, in
particular, is used to avoid premature completion of the initial TLS
handshake, before required client handshake messages are received.
This is a non-functional change when using BoringSSL. It supersedes
testing non-positive SSL_do_handshake() results in all supported SSL
libraries, hence simplified.
In preparation for using OpenSSL 3.5 TLS callbacks.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Fri, 16 May 2025 01:10:11 +0400 |
| parents | 7e424b06825b |
| children | e992b5db34fc |
| files | src/event/quic/ngx_event_quic_ssl.c |
| diffstat | 1 files changed, 1 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic_ssl.c Tue May 06 15:58:17 2025 +0400 +++ b/src/event/quic/ngx_event_quic_ssl.c Fri May 16 01:10:11 2025 +0400 @@ -463,7 +463,7 @@ } } - if (n <= 0 || SSL_in_init(ssl_conn)) { + if (!SSL_is_init_finished(ssl_conn)) { if (ngx_quic_keys_available(qc->keys, NGX_QUIC_ENCRYPTION_EARLY_DATA, 0) && qc->client_tp_done) {