From f79a43a96dbda5e4e6692778bb3f10ee8874c7c8 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Fri, 12 Feb 2016 00:59:11 +0000
Subject: avoid race conditions in OpenSSL::SSL::SSLContext#setup

By explicitly calling OpenSSL::SSL::SSLContext#setup before
accepting connections.  We cannot rely on "setup" being called
implicitly because any callbacks configured or objects
configured by the client may not be thread-safe.

We also avoid calling "setup" in the master process (if yahns is
configured to use worker processeses) in case the setup code
starts any TCP connections (e.g. to memcached for session
caching).
---
 lib/yahns/server.rb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/yahns/server.rb b/lib/yahns/server.rb
index b7a7554..09ddbef 100644
--- a/lib/yahns/server.rb
+++ b/lib/yahns/server.rb
@@ -380,7 +380,14 @@ class Yahns::Server # :nodoc:
       ctx.queue = queues[qegg] ||= qegg_vivify(qegg, fdmap)
       ctx = ctx.dup
       ctx.__send__(:include, l.expire_mod)
-      ctx.__send__(:include, Yahns::OpenSSLClient) if opts[:ssl_ctx]
+      if ssl_ctx = opts[:ssl_ctx]
+        ctx.__send__(:include, Yahns::OpenSSLClient)
+
+        # call OpenSSL::SSL::SSLContext#setup explicitly here to detect
+        # errors and avoid race conditions.  We avoid calling this in the
+        # parent process since
+        ssl_ctx.setup
+      end
       ctx_list << ctx
       # acceptors feed the the queues
       l.spawn_acceptor(opts[:threads] || 1, @logger, ctx)
-- 
cgit v1.2.3-24-ge0c7