From: Dmitry Volyntsev Date: Thu, 28 May 2026 05:06:55 +0000 (-0700) Subject: Fetch: fix keepalive with disabled TLS verification X-Git-Tag: 1.0.0~37 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/stylesheets/stylesheet.css?a=commitdiff_plain;h=ebcc9dee52cc35c2883c52bf5417ea555cb4f492;p=njs.git Fetch: fix keepalive with disabled TLS verification HTTPS connections established with certificate verification disabled are now excluded from the Fetch keepalive cache. This prevents a later verified request to the same destination from reusing a TLS connection that was created with verification disabled. --- diff --git a/nginx/ngx_js_fetch.c b/nginx/ngx_js_fetch.c index 608af25b..ac19d704 100644 --- a/nginx/ngx_js_fetch.c +++ b/nginx/ngx_js_fetch.c @@ -584,6 +584,12 @@ ngx_js_ext_fetch(njs_vm_t *vm, njs_value_t *args, njs_uint_t nargs, #endif } +#if (NGX_SSL) + if (http->ssl != NULL && !http->ssl_verify) { + http->keepalive = 0; + } +#endif + if (request.method.len == 4 && ngx_strncasecmp(request.method.data, (u_char *) "HEAD", 4) == 0) { diff --git a/nginx/ngx_qjs_fetch.c b/nginx/ngx_qjs_fetch.c index 066088ce..6f97e7f3 100644 --- a/nginx/ngx_qjs_fetch.c +++ b/nginx/ngx_qjs_fetch.c @@ -319,6 +319,12 @@ ngx_qjs_ext_fetch(JSContext *cx, JSValueConst this_val, int argc, #endif } +#if (NGX_SSL) + if (http->ssl != NULL && !http->ssl_verify) { + http->keepalive = 0; + } +#endif + if (request.method.len == 4 && ngx_strncasecmp(request.method.data, (u_char *) "HEAD", 4) == 0) { diff --git a/nginx/t/js_fetch_https_keepalive.t b/nginx/t/js_fetch_https_keepalive.t index 86f72d0a..36616ca8 100644 --- a/nginx/t/js_fetch_https_keepalive.t +++ b/nginx/t/js_fetch_https_keepalive.t @@ -74,6 +74,15 @@ http { js_fetch_protocols TLSv1.1 TLSv1.2; js_fetch_trusted_certificate myca.crt; } + + location /verify_off_no_keepalive { + js_content test.verify_off_no_keepalive; + + js_fetch_keepalive 4; + js_fetch_ciphers HIGH:!aNull:!MD5; + js_fetch_protocols TLSv1.1 TLSv1.2; + js_fetch_trusted_certificate myca.crt; + } } server { @@ -174,8 +183,27 @@ $t->write_file('test.js', <testdir(); @@ -247,7 +275,7 @@ foreach my $name ('1.example.com', 'ka.example.com') { $t->try_run('no njs.fetch'); -$t->plan(5); +$t->plan(6); $t->run_daemon(\&dns_daemon, port(8981), $t); $t->waitforfile($t->testdir . '/' . port(8981)); @@ -266,6 +294,9 @@ like(http_get('/sni_isolation'), like(http_get('/plain_vs_https_isolation'), qr/CONN:1\|PLAIN:1\|CONN:2$/s, 'fetch https->plain->https keepalive isolation'); +like(http_get('/verify_off_no_keepalive'), + qr/CONN:1\|CONN:1\|CONN:2$/s, + 'fetch https verify off is not kept alive'); ###############################################################################