Mercurial > hg > nginx
comparison src/stream/ngx_stream_ssl_module.c @ 7471:7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.
Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.
To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sun, 03 Mar 2019 16:47:44 +0300 |
| parents | 48c87377aabd |
| children | 8981dbb12254 |
comparison
equal
deleted
inserted
replaced
| 7470:48af42db14ab | 7471:7e8bcba6d039 |
|---|---|
| 20 | 20 |
| 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
| 22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | 22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, |
| 23 ngx_connection_t *c); | 23 ngx_connection_t *c); |
| 24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | 24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); |
| 25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | |
| 26 int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); | |
| 27 #endif | |
| 25 #ifdef SSL_R_CERT_CB_ERROR | 28 #ifdef SSL_R_CERT_CB_ERROR |
| 26 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); | 29 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); |
| 27 #endif | 30 #endif |
| 28 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, | 31 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
| 29 ngx_stream_variable_value_t *v, uintptr_t data); | 32 ngx_stream_variable_value_t *v, uintptr_t data); |
| 412 | 415 |
| 413 ngx_stream_core_run_phases(s); | 416 ngx_stream_core_run_phases(s); |
| 414 } | 417 } |
| 415 | 418 |
| 416 | 419 |
| 420 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | |
| 421 | |
| 422 int | |
| 423 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) | |
| 424 { | |
| 425 return SSL_TLSEXT_ERR_OK; | |
| 426 } | |
| 427 | |
| 428 #endif | |
| 429 | |
| 430 | |
| 417 #ifdef SSL_R_CERT_CB_ERROR | 431 #ifdef SSL_R_CERT_CB_ERROR |
| 418 | 432 |
| 419 int | 433 int |
| 420 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) | 434 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) |
| 421 { | 435 { |
| 680 } | 694 } |
| 681 | 695 |
| 682 cln->handler = ngx_ssl_cleanup_ctx; | 696 cln->handler = ngx_ssl_cleanup_ctx; |
| 683 cln->data = &conf->ssl; | 697 cln->data = &conf->ssl; |
| 684 | 698 |
| 699 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | |
| 700 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | |
| 701 ngx_stream_ssl_servername); | |
| 702 #endif | |
| 703 | |
| 685 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { | 704 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { |
| 686 return NGX_CONF_ERROR; | 705 return NGX_CONF_ERROR; |
| 687 } | 706 } |
| 688 | 707 |
| 689 if (conf->certificate_values) { | 708 if (conf->certificate_values) { |