Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7472:d430babbe643
SSL: server name callback changed to return fatal errors.
Notably this affects various allocation errors, and should generally
improve things if an allocation error actually happens during a callback.
Depending on the OpenSSL version, returning an error can result in
either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from
SSL_do_handshake(), so both errors were switched to the "info" level.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sun, 03 Mar 2019 16:48:06 +0300 |
| parents | 7e8bcba6d039 |
| children | 49f9d2f7d887 |
comparison
equal
deleted
inserted
replaced
| 7471:7e8bcba6d039 | 7472:d430babbe643 |
|---|---|
| 853 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 853 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
| 854 | 854 |
| 855 int | 855 int |
| 856 ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) | 856 ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) |
| 857 { | 857 { |
| 858 ngx_int_t rc; | |
| 858 ngx_str_t host; | 859 ngx_str_t host; |
| 859 const char *servername; | 860 const char *servername; |
| 860 ngx_connection_t *c; | 861 ngx_connection_t *c; |
| 861 ngx_http_connection_t *hc; | 862 ngx_http_connection_t *hc; |
| 862 ngx_http_ssl_srv_conf_t *sscf; | 863 ngx_http_ssl_srv_conf_t *sscf; |
| 870 } | 871 } |
| 871 | 872 |
| 872 c = ngx_ssl_get_connection(ssl_conn); | 873 c = ngx_ssl_get_connection(ssl_conn); |
| 873 | 874 |
| 874 if (c->ssl->handshaked) { | 875 if (c->ssl->handshaked) { |
| 875 return SSL_TLSEXT_ERR_OK; | 876 *ad = SSL_AD_NO_RENEGOTIATION; |
| 877 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
| 876 } | 878 } |
| 877 | 879 |
| 878 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, | 880 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, |
| 879 "SSL server name: \"%s\"", servername); | 881 "SSL server name: \"%s\"", servername); |
| 880 | 882 |
| 884 return SSL_TLSEXT_ERR_OK; | 886 return SSL_TLSEXT_ERR_OK; |
| 885 } | 887 } |
| 886 | 888 |
| 887 host.data = (u_char *) servername; | 889 host.data = (u_char *) servername; |
| 888 | 890 |
| 889 if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { | 891 rc = ngx_http_validate_host(&host, c->pool, 1); |
| 892 | |
| 893 if (rc == NGX_ERROR) { | |
| 894 *ad = SSL_AD_INTERNAL_ERROR; | |
| 895 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
| 896 } | |
| 897 | |
| 898 if (rc == NGX_DECLINED) { | |
| 890 return SSL_TLSEXT_ERR_OK; | 899 return SSL_TLSEXT_ERR_OK; |
| 891 } | 900 } |
| 892 | 901 |
| 893 hc = c->data; | 902 hc = c->data; |
| 894 | 903 |
| 895 if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, | 904 rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, |
| 896 NULL, &cscf) | 905 NULL, &cscf); |
| 897 != NGX_OK) | 906 |
| 898 { | 907 if (rc == NGX_ERROR) { |
| 908 *ad = SSL_AD_INTERNAL_ERROR; | |
| 909 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
| 910 } | |
| 911 | |
| 912 if (rc == NGX_DECLINED) { | |
| 899 return SSL_TLSEXT_ERR_OK; | 913 return SSL_TLSEXT_ERR_OK; |
| 900 } | 914 } |
| 901 | 915 |
| 902 hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); | 916 hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); |
| 903 if (hc->ssl_servername == NULL) { | 917 if (hc->ssl_servername == NULL) { |
| 904 return SSL_TLSEXT_ERR_OK; | 918 *ad = SSL_AD_INTERNAL_ERROR; |
| 919 return SSL_TLSEXT_ERR_ALERT_FATAL; | |
| 905 } | 920 } |
| 906 | 921 |
| 907 *hc->ssl_servername = host; | 922 *hc->ssl_servername = host; |
| 908 | 923 |
| 909 hc->conf_ctx = cscf->ctx; | 924 hc->conf_ctx = cscf->ctx; |