@@ -354,8 +354,11 @@ static void ngx_http_upstream_check_begin_handler(ngx_event_t *event);
354354static void ngx_http_upstream_check_connect_handler (ngx_event_t * event );
355355
356356#if (NGX_HTTP_SSL )
357- static void ngx_http_upstream_do_ssl_handshake (ngx_event_t * event );
358- static void ngx_ups_ssl_handshake (ngx_connection_t * c );
357+ static void ngx_http_upstream_do_ssl_handshake (ngx_event_t * event );
358+ static void ngx_ups_ssl_handshake (ngx_connection_t * c );
359+ static int is_https_check (ngx_http_upstream_check_peer_t * peer ) {
360+ return strcmp ((const char * )peer -> conf -> check_type_conf -> name .data , "https" ) == 0 ;
361+ }
359362#endif
360363
361364static void ngx_http_upstream_check_peek_handler (ngx_event_t * event );
@@ -1089,6 +1092,9 @@ ngx_http_upstream_check_add_timers(ngx_cycle_t *cycle) {
10891092
10901093 ucscf = peer [i ].conf ;
10911094 cf = ucscf -> check_type_conf ;
1095+ if (is_https_check (& peer [i ])) {
1096+ ngx_ssl_create (& ucscf -> ssl , NGX_SSL_SSLv3 | NGX_SSL_TLSv1 ,0 );
1097+ }
10921098
10931099 if (cf -> need_pool ) {
10941100 peer [i ].pool = ngx_create_pool (ngx_pagesize , cycle -> log );
@@ -1214,7 +1220,7 @@ ngx_http_upstream_check_connect_handler(ngx_event_t *event) {
12141220
12151221 peer = event -> data ;
12161222 ucscf = peer -> conf ;
1217- int is_https_check_type = strcmp (( const char * ) peer -> conf -> check_type_conf -> name . data , "https" ) == 0 ;
1223+ int is_https_check_type = is_https_check ( peer ) ;
12181224
12191225 if (peer -> pc .connection != NULL ) {
12201226 c = peer -> pc .connection ;
@@ -1258,7 +1264,7 @@ ngx_http_upstream_check_connect_handler(ngx_event_t *event) {
12581264 c -> sendfile = 0 ;
12591265 c -> read -> log = c -> log ;
12601266 c -> write -> log = c -> log ;
1261- c -> pool = peer -> pool ;
1267+ c -> pool = ngx_create_pool ( ngx_pagesize , ngx_cycle -> log ) ;
12621268#if (NGX_HTTP_SSL )
12631269 if (is_https_check_type && rc == NGX_AGAIN ) {
12641270 c -> write -> handler = ngx_http_upstream_do_ssl_handshake ;
@@ -1283,6 +1289,18 @@ ngx_http_upstream_check_connect_handler(ngx_event_t *event) {
12831289}
12841290
12851291#if (NGX_HTTP_SSL )
1292+ static void free_SSL_data (ngx_http_upstream_check_peer_t * peer ) {
1293+ ngx_connection_t * c = peer -> pc .connection ;
1294+ if (is_https_check (peer ) &&
1295+ c -> ssl ) {
1296+ ngx_ssl_free_buffer (c );
1297+ c -> ssl -> no_wait_shutdown = 1 ;
1298+ c -> ssl -> no_send_shutdown = 1 ;
1299+ ngx_ssl_shutdown (c );
1300+ c -> ssl = NULL ;
1301+ }
1302+ }
1303+
12861304static void ngx_http_upstream_do_ssl_handshake (ngx_event_t * event ) {
12871305 long rc ;
12881306 ngx_connection_t * c ;
@@ -1291,9 +1309,7 @@ static void ngx_http_upstream_do_ssl_handshake(ngx_event_t *event) {
12911309 c = event -> data ;
12921310 peer = c -> data ;
12931311 ucscf = peer -> conf ;
1294- ucscf -> ssl .buffer_size = NGX_SSL_BUFSIZE ;
1295- ucscf -> ssl .ctx = SSL_CTX_new (SSLv23_method ());
1296- rc = ngx_ssl_create_connection (& ucscf -> ssl , c , NGX_SSL_BUFFER |NGX_SSL_CLIENT );
1312+ rc = ngx_ssl_create_connection (& ucscf -> ssl , c , NGX_SSL_CLIENT );
12971313 if (rc != NGX_OK ) {
12981314 return ;
12991315 }
@@ -1307,9 +1323,7 @@ static void ngx_http_upstream_do_ssl_handshake(ngx_event_t *event) {
13071323 c -> tcp_nodelay = NGX_TCP_NODELAY_SET ;
13081324 rc = ngx_ssl_handshake (c );
13091325 if (rc != NGX_OK && rc != NGX_AGAIN ) {
1310- ngx_ssl_shutdown (peer -> pc .connection );
1311- SSL_CTX_free (ucscf -> ssl .ctx );
1312- ucscf -> ssl .ctx = NULL ;
1326+ free_SSL_data (peer );
13131327 return ;
13141328 }
13151329 if (rc == NGX_AGAIN ) {
@@ -1330,9 +1344,11 @@ ngx_ups_ssl_handshake(ngx_connection_t *c) {
13301344 if (c -> ssl && c -> ssl -> handshaked ) {
13311345 rc = SSL_get_verify_result (c -> ssl -> connection );
13321346 if (rc != X509_V_OK ) {
1347+ /*
13331348 ngx_log_error(NGX_LOG_ERR, c->log, 0,
13341349 "upstream SSL certificate verify error: (%l:%s)",
13351350 rc, X509_verify_cert_error_string(rc));
1351+ */
13361352 }
13371353 }
13381354 peer -> state = NGX_HTTP_CHECK_CONNECT_DONE ;
@@ -2759,15 +2775,7 @@ ngx_http_upstream_check_status_update(ngx_http_upstream_check_peer_t *peer,
27592775 }
27602776
27612777#if (NGX_HTTP_SSL )
2762- int is_https_check_type = strcmp ((const char * )peer -> conf -> check_type_conf -> name .data , "https" ) == 0 ;
2763- if (is_https_check_type ) {
2764- ngx_http_upstream_check_srv_conf_t * ucscf ;
2765- ucscf = peer -> conf ;
2766- if (ucscf -> ssl .ctx ) {
2767- ngx_ssl_shutdown (peer -> pc .connection );
2768- SSL_CTX_free (ucscf -> ssl .ctx );
2769- }
2770- }
2778+ free_SSL_data (peer );
27712779#endif
27722780 peer -> shm -> access_time = ngx_current_msec ;
27732781}
@@ -2795,6 +2803,10 @@ ngx_http_upstream_check_clean_event(ngx_http_upstream_check_peer_t *peer) {
27952803 } else {
27962804 ngx_close_connection (c );
27972805 peer -> pc .connection = NULL ;
2806+ if (c -> pool ) {
2807+ ngx_destroy_pool (c -> pool );
2808+ c -> pool = NULL ;
2809+ }
27982810 }
27992811 }
28002812
0 commit comments