Mercurial > hg > nginx
diff src/stream/ngx_stream_ssl_module.c @ 7471:7e8bcba6d039
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.
Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.
To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sun, 03 Mar 2019 16:47:44 +0300 |
| parents | 48c87377aabd |
| children | 8981dbb12254 |
line wrap: on
line diff
--- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -22,6 +22,9 @@ static ngx_int_t ngx_stream_ssl_handler( static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c); static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); +#endif #ifdef SSL_R_CERT_CB_ERROR static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); #endif @@ -414,6 +417,17 @@ ngx_stream_ssl_handshake_handler(ngx_con } +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + +int +ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +{ + return SSL_TLSEXT_ERR_OK; +} + +#endif + + #ifdef SSL_R_CERT_CB_ERROR int @@ -682,6 +696,11 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, + ngx_stream_ssl_servername); +#endif + if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { return NGX_CONF_ERROR; }