Mercurial > hg > nginx
comparison src/stream/ngx_stream_ssl_module.c @ 7471:7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.
Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.
To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sun, 03 Mar 2019 16:47:44 +0300 |
parents | 48c87377aabd |
children | 8981dbb12254 |
comparison
equal
deleted
inserted
replaced
7470:48af42db14ab | 7471:7e8bcba6d039 |
---|---|
20 | 20 |
21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); | 21 static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); |
22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, | 22 static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, |
23 ngx_connection_t *c); | 23 ngx_connection_t *c); |
24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); | 24 static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); |
25 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | |
26 int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); | |
27 #endif | |
25 #ifdef SSL_R_CERT_CB_ERROR | 28 #ifdef SSL_R_CERT_CB_ERROR |
26 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); | 29 static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); |
27 #endif | 30 #endif |
28 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, | 31 static ngx_int_t ngx_stream_ssl_static_variable(ngx_stream_session_t *s, |
29 ngx_stream_variable_value_t *v, uintptr_t data); | 32 ngx_stream_variable_value_t *v, uintptr_t data); |
412 | 415 |
413 ngx_stream_core_run_phases(s); | 416 ngx_stream_core_run_phases(s); |
414 } | 417 } |
415 | 418 |
416 | 419 |
420 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | |
421 | |
422 int | |
423 ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) | |
424 { | |
425 return SSL_TLSEXT_ERR_OK; | |
426 } | |
427 | |
428 #endif | |
429 | |
430 | |
417 #ifdef SSL_R_CERT_CB_ERROR | 431 #ifdef SSL_R_CERT_CB_ERROR |
418 | 432 |
419 int | 433 int |
420 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) | 434 ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg) |
421 { | 435 { |
680 } | 694 } |
681 | 695 |
682 cln->handler = ngx_ssl_cleanup_ctx; | 696 cln->handler = ngx_ssl_cleanup_ctx; |
683 cln->data = &conf->ssl; | 697 cln->data = &conf->ssl; |
684 | 698 |
699 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | |
700 SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, | |
701 ngx_stream_ssl_servername); | |
702 #endif | |
703 | |
685 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { | 704 if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { |
686 return NGX_CONF_ERROR; | 705 return NGX_CONF_ERROR; |
687 } | 706 } |
688 | 707 |
689 if (conf->certificate_values) { | 708 if (conf->certificate_values) { |