Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7475:49f9d2f7d887
SSL: moved c->ssl->handshaked check in server name callback.
Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello. As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 05 Mar 2019 16:34:19 +0300 |
parents | d430babbe643 |
children | aca005d232ff |
comparison
equal
deleted
inserted
replaced
7474:3f1db95d758a | 7475:49f9d2f7d887 |
---|---|
862 ngx_http_connection_t *hc; | 862 ngx_http_connection_t *hc; |
863 ngx_http_ssl_srv_conf_t *sscf; | 863 ngx_http_ssl_srv_conf_t *sscf; |
864 ngx_http_core_loc_conf_t *clcf; | 864 ngx_http_core_loc_conf_t *clcf; |
865 ngx_http_core_srv_conf_t *cscf; | 865 ngx_http_core_srv_conf_t *cscf; |
866 | 866 |
867 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); | |
868 | |
869 if (servername == NULL) { | |
870 return SSL_TLSEXT_ERR_OK; | |
871 } | |
872 | |
873 c = ngx_ssl_get_connection(ssl_conn); | 867 c = ngx_ssl_get_connection(ssl_conn); |
874 | 868 |
875 if (c->ssl->handshaked) { | 869 if (c->ssl->handshaked) { |
876 *ad = SSL_AD_NO_RENEGOTIATION; | 870 *ad = SSL_AD_NO_RENEGOTIATION; |
877 return SSL_TLSEXT_ERR_ALERT_FATAL; | 871 return SSL_TLSEXT_ERR_ALERT_FATAL; |
872 } | |
873 | |
874 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); | |
875 | |
876 if (servername == NULL) { | |
877 return SSL_TLSEXT_ERR_OK; | |
878 } | 878 } |
879 | 879 |
880 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, | 880 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, |
881 "SSL server name: \"%s\"", servername); | 881 "SSL server name: \"%s\"", servername); |
882 | 882 |