diff options
author | Costa Tsaousis <costa@netdata.cloud> | 2022-12-01 15:56:50 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-12-01 15:56:50 +0200 |
commit | 54d461b179b1a3b825acde60911fb50515c4bea8 (patch) | |
tree | e3a8ad41657939b1667e222322d8a563a59edd22 | |
parent | f7b2db2b59b16b6e31b1d84941e68e44f6301bc9 (diff) |
fix SSL related crashes (#14076)
prevent concurrent initialization of SSL from multiple threads; prevent re-initialization of SSL
-rw-r--r-- | libnetdata/socket/security.c | 38 | ||||
-rw-r--r-- | streaming/sender.c | 11 |
2 files changed, 33 insertions, 16 deletions
diff --git a/libnetdata/socket/security.c b/libnetdata/socket/security.c index f7b44049ba..88b3f6d930 100644 --- a/libnetdata/socket/security.c +++ b/libnetdata/socket/security.c @@ -204,31 +204,43 @@ static SSL_CTX * security_initialize_openssl_server() { * NETDATA_SSL_CONTEXT_EXPORTING - Starts the OpenTSDB context */ void security_start_ssl(int selector) { + static SPINLOCK sp = NETDATA_SPINLOCK_INITIALIZER; + netdata_spinlock_lock(&sp); + switch (selector) { case NETDATA_SSL_CONTEXT_SERVER: { - struct stat statbuf; - if (stat(netdata_ssl_security_key, &statbuf) || stat(netdata_ssl_security_cert, &statbuf)) { - info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n"); - return; + if(!netdata_ssl_srv_ctx) { + struct stat statbuf; + if (stat(netdata_ssl_security_key, &statbuf) || stat(netdata_ssl_security_cert, &statbuf)) + info("To use encryption it is necessary to set \"ssl certificate\" and \"ssl key\" in [web] !\n"); + else { + netdata_ssl_srv_ctx = security_initialize_openssl_server(); + SSL_CTX_set_mode(netdata_ssl_srv_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + } } - - netdata_ssl_srv_ctx = security_initialize_openssl_server(); - SSL_CTX_set_mode(netdata_ssl_srv_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); break; } + case NETDATA_SSL_CONTEXT_STREAMING: { - netdata_ssl_client_ctx = security_initialize_openssl_client(); - //This is necessary for the stream, because it is working sometimes with nonblock socket. - //It returns the bitmask after to change, there is not any description of errors in the documentation - SSL_CTX_set_mode( - netdata_ssl_client_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |SSL_MODE_AUTO_RETRY); + if(!netdata_ssl_client_ctx) { + netdata_ssl_client_ctx = security_initialize_openssl_client(); + //This is necessary for the stream, because it is working sometimes with nonblock socket. + //It returns the bitmask after to change, there is not any description of errors in the documentation + SSL_CTX_set_mode(netdata_ssl_client_ctx, + SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_AUTO_RETRY); + } break; } + case NETDATA_SSL_CONTEXT_EXPORTING: { - netdata_ssl_exporting_ctx = security_initialize_openssl_client(); + if(!netdata_ssl_exporting_ctx) + netdata_ssl_exporting_ctx = security_initialize_openssl_client(); break; } } + + netdata_spinlock_unlock(&sp); } /** diff --git a/streaming/sender.c b/streaming/sender.c index 8e637d2bd7..62097e39f6 100644 --- a/streaming/sender.c +++ b/streaming/sender.c @@ -1114,9 +1114,14 @@ void *rrdpush_sender_thread(void *ptr) { } #ifdef ENABLE_HTTPS - if (netdata_use_ssl_on_stream & NETDATA_SSL_FORCE ){ - security_start_ssl(NETDATA_SSL_CONTEXT_STREAMING); - ssl_security_location_for_context(netdata_ssl_client_ctx, netdata_ssl_ca_file, netdata_ssl_ca_path); + if (netdata_use_ssl_on_stream & NETDATA_SSL_FORCE ) { + static SPINLOCK sp = NETDATA_SPINLOCK_INITIALIZER; + netdata_spinlock_lock(&sp); + if(!netdata_ssl_client_ctx) { + security_start_ssl(NETDATA_SSL_CONTEXT_STREAMING); + ssl_security_location_for_context(netdata_ssl_client_ctx, netdata_ssl_ca_file, netdata_ssl_ca_path); + } + netdata_spinlock_unlock(&sp); } #endif |