Mercurial > hg > nginx-quic
comparison src/http/ngx_http_request.c @ 7472:d430babbe643
SSL: server name callback changed to return fatal errors.
Notably this affects various allocation errors, and should generally
improve things if an allocation error actually happens during a callback.
Depending on the OpenSSL version, returning an error can result in
either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from
SSL_do_handshake(), so both errors were switched to the "info" level.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sun, 03 Mar 2019 16:48:06 +0300 |
parents | 7e8bcba6d039 |
children | 49f9d2f7d887 |
comparison
equal
deleted
inserted
replaced
7471:7e8bcba6d039 | 7472:d430babbe643 |
---|---|
853 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 853 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
854 | 854 |
855 int | 855 int |
856 ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) | 856 ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) |
857 { | 857 { |
858 ngx_int_t rc; | |
858 ngx_str_t host; | 859 ngx_str_t host; |
859 const char *servername; | 860 const char *servername; |
860 ngx_connection_t *c; | 861 ngx_connection_t *c; |
861 ngx_http_connection_t *hc; | 862 ngx_http_connection_t *hc; |
862 ngx_http_ssl_srv_conf_t *sscf; | 863 ngx_http_ssl_srv_conf_t *sscf; |
870 } | 871 } |
871 | 872 |
872 c = ngx_ssl_get_connection(ssl_conn); | 873 c = ngx_ssl_get_connection(ssl_conn); |
873 | 874 |
874 if (c->ssl->handshaked) { | 875 if (c->ssl->handshaked) { |
875 return SSL_TLSEXT_ERR_OK; | 876 *ad = SSL_AD_NO_RENEGOTIATION; |
877 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
876 } | 878 } |
877 | 879 |
878 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, | 880 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, |
879 "SSL server name: \"%s\"", servername); | 881 "SSL server name: \"%s\"", servername); |
880 | 882 |
884 return SSL_TLSEXT_ERR_OK; | 886 return SSL_TLSEXT_ERR_OK; |
885 } | 887 } |
886 | 888 |
887 host.data = (u_char *) servername; | 889 host.data = (u_char *) servername; |
888 | 890 |
889 if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { | 891 rc = ngx_http_validate_host(&host, c->pool, 1); |
892 | |
893 if (rc == NGX_ERROR) { | |
894 *ad = SSL_AD_INTERNAL_ERROR; | |
895 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
896 } | |
897 | |
898 if (rc == NGX_DECLINED) { | |
890 return SSL_TLSEXT_ERR_OK; | 899 return SSL_TLSEXT_ERR_OK; |
891 } | 900 } |
892 | 901 |
893 hc = c->data; | 902 hc = c->data; |
894 | 903 |
895 if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, | 904 rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, |
896 NULL, &cscf) | 905 NULL, &cscf); |
897 != NGX_OK) | 906 |
898 { | 907 if (rc == NGX_ERROR) { |
908 *ad = SSL_AD_INTERNAL_ERROR; | |
909 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
910 } | |
911 | |
912 if (rc == NGX_DECLINED) { | |
899 return SSL_TLSEXT_ERR_OK; | 913 return SSL_TLSEXT_ERR_OK; |
900 } | 914 } |
901 | 915 |
902 hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); | 916 hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); |
903 if (hc->ssl_servername == NULL) { | 917 if (hc->ssl_servername == NULL) { |
904 return SSL_TLSEXT_ERR_OK; | 918 *ad = SSL_AD_INTERNAL_ERROR; |
919 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
905 } | 920 } |
906 | 921 |
907 *hc->ssl_servername = host; | 922 *hc->ssl_servername = host; |
908 | 923 |
909 hc->conf_ctx = cscf->ctx; | 924 hc->conf_ctx = cscf->ctx; |