# HG changeset patch # User Maxim Dounin # Date 1551792859 -10800 # Node ID 49f9d2f7d8877cf7d86fc43c07ef86fc494175bc # Parent 3f1db95d758ab6b331065e99df47666bb1ed5e06 SSL: moved c->ssl->handshaked check in server name callback. Server name callback is always called by OpenSSL, even if server_name extension is not present in ClientHello. As such, checking c->ssl->handshaked before the SSL_get_servername() result should help to more effectively prevent renegotiation in OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS nor SSL_OP_NO_RENEGOTIATION is available. diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -864,12 +864,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t * ngx_http_core_loc_conf_t *clcf; ngx_http_core_srv_conf_t *cscf; - servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); - - if (servername == NULL) { - return SSL_TLSEXT_ERR_OK; - } - c = ngx_ssl_get_connection(ssl_conn); if (c->ssl->handshaked) { @@ -877,6 +871,12 @@ ngx_http_ssl_servername(ngx_ssl_conn_t * return SSL_TLSEXT_ERR_ALERT_FATAL; } + servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); + + if (servername == NULL) { + return SSL_TLSEXT_ERR_OK; + } + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL server name: \"%s\"", servername);