diff options
Diffstat (limited to 'src/http')
| -rw-r--r-- | src/http/modules/ngx_http_ssl_module.c | 6 | ||||
| -rw-r--r-- | src/http/ngx_http_request.c | 62 |
2 files changed, 32 insertions, 36 deletions
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index fbf4ab871..3778758e2 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -749,6 +749,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) cln->data = &conf->ssl; #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + { + static ngx_ssl_client_hello_arg cb = { ngx_http_ssl_servername }; + + ngx_ssl_set_client_hello_callback(conf->ssl.ctx, &cb); if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, ngx_http_ssl_servername) @@ -759,7 +763,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) "dynamically to an OpenSSL library which has no tlsext support, " "therefore SNI is not available"); } - + } #endif #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 95cb1a133..6f6e975b7 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -891,27 +891,41 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) return SSL_TLSEXT_ERR_ALERT_FATAL; } + if (c->ssl->sni_accepted) { + return SSL_TLSEXT_ERR_OK; + } + hc = c->data; - servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); + if (arg != NULL) { + host = *(ngx_str_t *) arg; - if (servername == NULL) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "SSL server name: null"); - goto done; + if (host.data == NULL) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, + "SSL server name: null"); + goto done; + } + + } else { + servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); + + if (servername == NULL) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, + "SSL server name: null"); + goto done; + } + + host.len = ngx_strlen(servername); + host.data = (u_char *) servername; } ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "SSL server name: \"%s\"", servername); - - host.len = ngx_strlen(servername); + "SSL server name: \"%V\"", &host); if (host.len == 0) { goto done; } - host.data = (u_char *) servername; - rc = ngx_http_validate_host(&host, c->pool, 1); if (rc == NGX_ERROR) { @@ -933,31 +947,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) goto done; } - sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); - -#if (defined TLS1_3_VERSION \ - && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) - - /* - * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, - * but servername being negotiated in every TLSv1.3 handshake - * is only returned in OpenSSL 1.1.1+ as well - */ - - if (sscf->verify) { - const char *hostname; - - hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); - - if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { - c->ssl->handshake_rejected = 1; - *ad = SSL_AD_ACCESS_DENIED; - return SSL_TLSEXT_ERR_ALERT_FATAL; - } - } - -#endif - hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); if (hc->ssl_servername == NULL) { goto error; @@ -971,6 +960,8 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) ngx_set_connection_log(c, clcf->error_log); + sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); + c->ssl->buffer_size = sscf->buffer_size; if (sscf->ssl.ctx) { @@ -1019,6 +1010,7 @@ done: return SSL_TLSEXT_ERR_ALERT_FATAL; } + c->ssl->sni_accepted = 1; return SSL_TLSEXT_ERR_OK; error: |