Fixing multiple TLS-enabled listeners initialization.

Because of the incorrect 'last' field assignment, multiple listeners with
a TLS certificate did not initialize properly, which caused a router crash
while establishing a connection.

Test with multiple TLS listeners added.

The issue was introduced in the c548e46fe516 commit.

This closes #561 issue on GitHub.

docs/changes.xml

@@ -44,6 +44,13 @@ Initial release of Java 17 module for NGINX Unit.
 </para>
 </change>
 
+<change type="bugfix">
+<para>
+the router process could crash on TLS connection open when multiple listeners
+with TLS certificate configured; the bug had appeared in 1.23.0.
+</para>
+</change>
+
 </changes>
 
 

src/nxt_router.c

@@ -124,7 +124,7 @@ static void nxt_router_tls_rpc_handler(nxt_task_t *task,
     nxt_port_recv_msg_t *msg, void *data);
 static nxt_int_t nxt_router_conf_tls_insert(nxt_router_temp_conf_t *tmcf,
     nxt_conf_value_t *value, nxt_socket_conf_t *skcf,
-    nxt_conf_value_t * conf_cmds);
+    nxt_conf_value_t * conf_cmds, nxt_bool_t last);
 #endif
 static void nxt_router_app_rpc_create(nxt_task_t *task,
     nxt_router_temp_conf_t *tmcf, nxt_app_t *app);
@@ -956,8 +956,6 @@ nxt_router_conf_apply(nxt_task_t *task, void *obj, void *data)
 
         tls = nxt_queue_link_data(qlk, nxt_router_tlssock_t, link);
 
-        tls->last = nxt_queue_is_empty(&tmcf->tls);
-
         nxt_cert_store_get(task, &tls->name, tmcf->mem_pool,
                            nxt_router_tls_rpc_handler, tls);
         return;
@@ -1752,7 +1750,7 @@ nxt_router_conf_create(nxt_task_t *task, nxt_router_temp_conf_t *tmcf,
                         nxt_assert(value != NULL);
 
                         ret = nxt_router_conf_tls_insert(tmcf, value, skcf,
-                                                         conf_cmds);
+                                                         conf_cmds, i == 0);
                         if (nxt_slow_path(ret != NXT_OK)) {
                             goto fail;
                         }
@@ -1761,7 +1759,7 @@ nxt_router_conf_create(nxt_task_t *task, nxt_router_temp_conf_t *tmcf,
                 } else {
                     /* NXT_CONF_STRING */
                     ret = nxt_router_conf_tls_insert(tmcf, certificate, skcf,
-                                                     conf_cmds);
+                                                     conf_cmds, 1);
                     if (nxt_slow_path(ret != NXT_OK)) {
                         goto fail;
                     }
@@ -1856,7 +1854,7 @@ fail:
 static nxt_int_t
 nxt_router_conf_tls_insert(nxt_router_temp_conf_t *tmcf,
     nxt_conf_value_t *value, nxt_socket_conf_t *skcf,
-    nxt_conf_value_t *conf_cmds)
+    nxt_conf_value_t *conf_cmds, nxt_bool_t last)
 {
     nxt_router_tlssock_t  *tls;
 
@@ -1868,6 +1866,7 @@ nxt_router_conf_tls_insert(nxt_router_temp_conf_t *tmcf,
     tls->socket_conf = skcf;
     tls->conf_cmds = conf_cmds;
     tls->temp_conf = tmcf;
+    tls->last = last;
     nxt_conf_get_string(value, &tls->name);
 
     nxt_queue_insert_tail(&tmcf->tls, &tls->link);

test/test_tls.py

@@ -665,3 +665,16 @@ basicConstraints = critical,CA:TRUE"""
         )
         assert res['status'] == 200, 'status ok'
         assert res['body'] == filename + data
+
+    def test_tls_multi_listener(self):
+        self.load('empty')
+
+        self.certificate()
+
+        self.add_tls()
+        self.add_tls(port=7081)
+
+        assert self.get_ssl()['status'] == 200, 'listener #1'
+
+        assert self.get_ssl(port=7081)['status'] == 200, 'listener #2'
+