Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7475:49f9d2f7d887
SSL: moved c->ssl->handshaked check in server name callback.
Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello. As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 05 Mar 2019 16:34:19 +0300 |
| parents | d430babbe643 |
| children | aca005d232ff |
comparison
equal
deleted
inserted
replaced
| 7474:3f1db95d758a | 7475:49f9d2f7d887 |
|---|---|
| 862 ngx_http_connection_t *hc; | 862 ngx_http_connection_t *hc; |
| 863 ngx_http_ssl_srv_conf_t *sscf; | 863 ngx_http_ssl_srv_conf_t *sscf; |
| 864 ngx_http_core_loc_conf_t *clcf; | 864 ngx_http_core_loc_conf_t *clcf; |
| 865 ngx_http_core_srv_conf_t *cscf; | 865 ngx_http_core_srv_conf_t *cscf; |
| 866 | 866 |
| 867 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); | |
| 868 | |
| 869 if (servername == NULL) { | |
| 870 return SSL_TLSEXT_ERR_OK; | |
| 871 } | |
| 872 | |
| 873 c = ngx_ssl_get_connection(ssl_conn); | 867 c = ngx_ssl_get_connection(ssl_conn); |
| 874 | 868 |
| 875 if (c->ssl->handshaked) { | 869 if (c->ssl->handshaked) { |
| 876 *ad = SSL_AD_NO_RENEGOTIATION; | 870 *ad = SSL_AD_NO_RENEGOTIATION; |
| 877 return SSL_TLSEXT_ERR_ALERT_FATAL; | 871 return SSL_TLSEXT_ERR_ALERT_FATAL; |
| 872 } | |
| 873 | |
| 874 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); | |
| 875 | |
| 876 if (servername == NULL) { | |
| 877 return SSL_TLSEXT_ERR_OK; | |
| 878 } | 878 } |
| 879 | 879 |
| 880 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, | 880 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, |
| 881 "SSL server name: \"%s\"", servername); | 881 "SSL server name: \"%s\"", servername); |
| 882 | 882 |