Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7471:7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.
Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.
To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sun, 03 Mar 2019 16:47:44 +0300 |
parents | 48c87377aabd |
children | d430babbe643 |
comparison
equal
deleted
inserted
replaced
7470:48af42db14ab | 7471:7e8bcba6d039 |
---|---|
864 ngx_http_core_srv_conf_t *cscf; | 864 ngx_http_core_srv_conf_t *cscf; |
865 | 865 |
866 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); | 866 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); |
867 | 867 |
868 if (servername == NULL) { | 868 if (servername == NULL) { |
869 return SSL_TLSEXT_ERR_NOACK; | 869 return SSL_TLSEXT_ERR_OK; |
870 } | 870 } |
871 | 871 |
872 c = ngx_ssl_get_connection(ssl_conn); | 872 c = ngx_ssl_get_connection(ssl_conn); |
873 | 873 |
874 if (c->ssl->handshaked) { | 874 if (c->ssl->handshaked) { |
875 return SSL_TLSEXT_ERR_NOACK; | 875 return SSL_TLSEXT_ERR_OK; |
876 } | 876 } |
877 | 877 |
878 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, | 878 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, |
879 "SSL server name: \"%s\"", servername); | 879 "SSL server name: \"%s\"", servername); |
880 | 880 |
881 host.len = ngx_strlen(servername); | 881 host.len = ngx_strlen(servername); |
882 | 882 |
883 if (host.len == 0) { | 883 if (host.len == 0) { |
884 return SSL_TLSEXT_ERR_NOACK; | 884 return SSL_TLSEXT_ERR_OK; |
885 } | 885 } |
886 | 886 |
887 host.data = (u_char *) servername; | 887 host.data = (u_char *) servername; |
888 | 888 |
889 if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { | 889 if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { |
890 return SSL_TLSEXT_ERR_NOACK; | 890 return SSL_TLSEXT_ERR_OK; |
891 } | 891 } |
892 | 892 |
893 hc = c->data; | 893 hc = c->data; |
894 | 894 |
895 if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, | 895 if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, |
896 NULL, &cscf) | 896 NULL, &cscf) |
897 != NGX_OK) | 897 != NGX_OK) |
898 { | 898 { |
899 return SSL_TLSEXT_ERR_NOACK; | 899 return SSL_TLSEXT_ERR_OK; |
900 } | 900 } |
901 | 901 |
902 hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); | 902 hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); |
903 if (hc->ssl_servername == NULL) { | 903 if (hc->ssl_servername == NULL) { |
904 return SSL_TLSEXT_ERR_NOACK; | 904 return SSL_TLSEXT_ERR_OK; |
905 } | 905 } |
906 | 906 |
907 *hc->ssl_servername = host; | 907 *hc->ssl_servername = host; |
908 | 908 |
909 hc->conf_ctx = cscf->ctx; | 909 hc->conf_ctx = cscf->ctx; |