diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2025-01-28 00:53:15 +0400 |
|---|---|---|
| committer | pluknet <pluknet@nginx.com> | 2025-09-25 19:25:08 +0400 |
| commit | 0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2 (patch) | |
| tree | 10090027a69f6e84e65c079e53094558b446b377 /src/http/modules | |
| parent | bc71625dcca1f1cbd0db7450af853feb90ebba85 (diff) | |
| download | nginx-0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2.tar.gz nginx-0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2.tar.bz2 | |
SNI: using the ClientHello callback.
The change introduces an SNI based virtual server selection during
early ClientHello processing. The callback is available since
OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
is kept.
Using the ClientHello callback sets a reasonable processing order
for the "server_name" TLS extension. Notably, session resumption
decision now happens after applying server configuration chosen by
SNI, useful with enabled verification of client certificates, which
brings consistency with BoringSSL behaviour. The change supersedes
and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.
In addition, since the callback is invoked prior to the protocol
version negotiation, this makes it possible to set "ssl_protocols"
on a per-virtual server basis.
To keep the $ssl_server_name variable working with TLSv1.2 resumed
sessions, as previously fixed in fd97b2a80, a limited server name
callback is preserved in order to acknowledge the extension.
Note that to allow third-party modules to properly chain the call to
ngx_ssl_client_hello_callback(), the servername callback function is
passed through exdata.
Diffstat (limited to 'src/http/modules')
| -rw-r--r-- | src/http/modules/ngx_http_ssl_module.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index fbf4ab871..3778758e2 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -749,6 +749,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) cln->data = &conf->ssl; #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + { + static ngx_ssl_client_hello_arg cb = { ngx_http_ssl_servername }; + + ngx_ssl_set_client_hello_callback(conf->ssl.ctx, &cb); if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, ngx_http_ssl_servername) @@ -759,7 +763,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) "dynamically to an OpenSSL library which has no tlsext support, " "therefore SNI is not available"); } - + } #endif #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |