Mercurial > hg > nginx

diff src/http/ngx_http_request.c @ 7471:7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. OpenSSL 1.1.1 does not save server name to the session if server name callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking the $ssl_server_name variable in resumed sessions. Since $ssl_server_name can be used even if we've selected the default server and there are no other servers, it looks like the only viable solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual result. To fix things in the stream module as well, added a dummy server name callback which always returns SSL_TLSEXT_ERR_OK.
author: Maxim Dounin <mdounin@mdounin.ru>
date: Sun, 03 Mar 2019 16:47:44 +0300
parents: 48c87377aabd
children: d430babbe643
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -866,13 +866,13 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
 
     if (servername == NULL) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_OK;
     }
 
     c = ngx_ssl_get_connection(ssl_conn);
 
     if (c->ssl->handshaked) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_OK;
     }
 
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
@@ -881,13 +881,13 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
     host.len = ngx_strlen(servername);
 
     if (host.len == 0) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_OK;
     }
 
     host.data = (u_char *) servername;
 
     if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_OK;
     }
 
     hc = c->data;
@@ -896,12 +896,12 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
                                      NULL, &cscf)
         != NGX_OK)
     {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_OK;
     }
 
     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
     if (hc->ssl_servername == NULL) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_OK;
     }
 
     *hc->ssl_servername = host;
author	Maxim Dounin <mdounin@mdounin.ru>
date	Sun, 03 Mar 2019 16:47:44 +0300
parents	48c87377aabd
children	d430babbe643