From 18ba2aeb4399a8f9c50b085b41d447e24b86d947 Mon Sep 17 00:00:00 2001 From: Aleksei Bavshin Date: Mon, 15 Sep 2025 16:49:48 -0700 Subject: [PATCH] Net: fix crash on HTTP connection to ACME server. Plain HTTP connections are prohibited by the ACME specification, so we did not have this scenario in our test automation and overlooked the regression during the pre-release code cleanup. Nonetheless, some server implementations allow such configuration and more importantly the HTTP client code should be useful as an example for other modules. --- src/net/http.rs | 2 +- src/net/peer_conn.rs | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/net/http.rs b/src/net/http.rs index 8a712a6..9152adc 100644 --- a/src/net/http.rs +++ b/src/net/http.rs @@ -148,7 +148,7 @@ impl HttpClient for NgxHttpClient<'_> { .connect_to(authority.as_str(), &self.resolver, ssl) .await?; - if self.ssl_verify { + if ssl.is_some() && self.ssl_verify { if let Err(err) = peer.verify_peer() { let _ = future::poll_fn(|cx| peer.as_mut().poll_shutdown(cx)).await; return Err(err.into()); diff --git a/src/net/peer_conn.rs b/src/net/peer_conn.rs index 8e9b427..f1be72b 100644 --- a/src/net/peer_conn.rs +++ b/src/net/peer_conn.rs @@ -219,6 +219,13 @@ impl PeerConnection { pub fn verify_peer(&mut self) -> Result<(), io::Error> { let c = self.connection_mut().ok_or(io::ErrorKind::NotConnected)?; + if c.ssl.is_null() { + return Err(io::Error::new( + io::ErrorKind::InvalidInput, + "cannot verify peer on a non-SSL connection", + )); + } + let rc = unsafe { SSL_get_verify_result((*c.ssl).connection.cast()) }; if rc != (X509_V_OK as c_long) { let err = unsafe { CStr::from_ptr(X509_verify_cert_error_string(rc)) };