diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2025-09-22 19:55:16 +0400 |
|---|---|---|
| committer | pluknet <pluknet@nginx.com> | 2025-09-25 19:25:08 +0400 |
| commit | 7f9ced0ce0d70ae60f46ef3ed759efa75e711db4 (patch) | |
| tree | d6e76b58b8814166abb3a704de488c37b0ce1fa7 /src/event | |
| parent | 0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2 (diff) | |
| download | nginx-7f9ced0ce0d70ae60f46ef3ed759efa75e711db4.tar.gz nginx-7f9ced0ce0d70ae60f46ef3ed759efa75e711db4.tar.bz2 | |
SNI: support for early ClientHello callback with BoringSSL.
This brings feature parity with OpenSSL after the previous change,
making it possible to set SSL protocols per virtual server.
Diffstat (limited to 'src/event')
| -rw-r--r-- | src/event/ngx_event_openssl.c | 36 | ||||
| -rw-r--r-- | src/event/ngx_event_openssl.h | 3 |
2 files changed, 39 insertions, 0 deletions
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c index d9abcd082..375d58be6 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -1663,6 +1663,11 @@ ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx, SSL_CTX_set_client_hello_cb(ssl_ctx, ngx_ssl_client_hello_callback, NULL); SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb); +#elif defined OPENSSL_IS_BORINGSSL + + SSL_CTX_set_select_certificate_cb(ssl_ctx, ngx_ssl_select_certificate); + SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb); + #endif } @@ -1727,6 +1732,37 @@ done: return SSL_CLIENT_HELLO_SUCCESS; } +#elif defined OPENSSL_IS_BORINGSSL + +enum ssl_select_cert_result_t ngx_ssl_select_certificate( + const SSL_CLIENT_HELLO *client_hello) +{ + int ad; + ngx_int_t rc; + ngx_ssl_conn_t *ssl_conn; + ngx_connection_t *c; + ngx_ssl_client_hello_arg *cb; + + ssl_conn = client_hello->ssl; + c = ngx_ssl_get_connection(ssl_conn); + cb = SSL_CTX_get_ex_data(c->ssl->session_ctx, + ngx_ssl_client_hello_arg_index); + + /* + * BoringSSL sends a hardcoded "handshake_failure" alert on errors, + * we use it to map SSL_AD_INTERNAL_ERROR. To preserve other alert + * values, error handling is postponed to the servername callback. + */ + + rc = cb->servername(ssl_conn, &ad, NULL); + + if (rc == SSL_TLSEXT_ERR_ALERT_FATAL && ad == SSL_AD_INTERNAL_ERROR) { + return ssl_select_cert_error; + } + + return ssl_select_cert_success; +} + #endif diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h index 544703f61..9943ee430 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -298,6 +298,9 @@ void ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx, ngx_ssl_client_hello_arg *cb); #ifdef SSL_CLIENT_HELLO_SUCCESS int ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); +#elif defined OPENSSL_IS_BORINGSSL +enum ssl_select_cert_result_t ngx_ssl_select_certificate( + const SSL_CLIENT_HELLO *client_hello); #endif ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, |