Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7471:7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.
Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.
To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sun, 03 Mar 2019 16:47:44 +0300 |
| parents | 48c87377aabd |
| children | d430babbe643 |
comparison
equal
deleted
inserted
replaced
| 7470:48af42db14ab | 7471:7e8bcba6d039 |
|---|---|
| 864 ngx_http_core_srv_conf_t *cscf; | 864 ngx_http_core_srv_conf_t *cscf; |
| 865 | 865 |
| 866 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); | 866 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); |
| 867 | 867 |
| 868 if (servername == NULL) { | 868 if (servername == NULL) { |
| 869 return SSL_TLSEXT_ERR_NOACK; | 869 return SSL_TLSEXT_ERR_OK; |
| 870 } | 870 } |
| 871 | 871 |
| 872 c = ngx_ssl_get_connection(ssl_conn); | 872 c = ngx_ssl_get_connection(ssl_conn); |
| 873 | 873 |
| 874 if (c->ssl->handshaked) { | 874 if (c->ssl->handshaked) { |
| 875 return SSL_TLSEXT_ERR_NOACK; | 875 return SSL_TLSEXT_ERR_OK; |
| 876 } | 876 } |
| 877 | 877 |
| 878 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, | 878 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, |
| 879 "SSL server name: \"%s\"", servername); | 879 "SSL server name: \"%s\"", servername); |
| 880 | 880 |
| 881 host.len = ngx_strlen(servername); | 881 host.len = ngx_strlen(servername); |
| 882 | 882 |
| 883 if (host.len == 0) { | 883 if (host.len == 0) { |
| 884 return SSL_TLSEXT_ERR_NOACK; | 884 return SSL_TLSEXT_ERR_OK; |
| 885 } | 885 } |
| 886 | 886 |
| 887 host.data = (u_char *) servername; | 887 host.data = (u_char *) servername; |
| 888 | 888 |
| 889 if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { | 889 if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { |
| 890 return SSL_TLSEXT_ERR_NOACK; | 890 return SSL_TLSEXT_ERR_OK; |
| 891 } | 891 } |
| 892 | 892 |
| 893 hc = c->data; | 893 hc = c->data; |
| 894 | 894 |
| 895 if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, | 895 if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, |
| 896 NULL, &cscf) | 896 NULL, &cscf) |
| 897 != NGX_OK) | 897 != NGX_OK) |
| 898 { | 898 { |
| 899 return SSL_TLSEXT_ERR_NOACK; | 899 return SSL_TLSEXT_ERR_OK; |
| 900 } | 900 } |
| 901 | 901 |
| 902 hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); | 902 hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); |
| 903 if (hc->ssl_servername == NULL) { | 903 if (hc->ssl_servername == NULL) { |
| 904 return SSL_TLSEXT_ERR_NOACK; | 904 return SSL_TLSEXT_ERR_OK; |
| 905 } | 905 } |
| 906 | 906 |
| 907 *hc->ssl_servername = host; | 907 *hc->ssl_servername = host; |
| 908 | 908 |
| 909 hc->conf_ctx = cscf->ctx; | 909 hc->conf_ctx = cscf->ctx; |