From 7f9ced0ce0d70ae60f46ef3ed759efa75e711db4 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Mon, 22 Sep 2025 19:55:16 +0400
Subject: SNI: support for early ClientHello callback with BoringSSL.

This brings feature parity with OpenSSL after the previous change,
making it possible to set SSL protocols per virtual server.
---
 src/http/ngx_http_request.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/http')

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 6f6e975b7..16d79c490 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -895,6 +895,11 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
         return SSL_TLSEXT_ERR_OK;
     }
 
+    if (c->ssl->handshake_rejected) {
+        *ad = SSL_AD_UNRECOGNIZED_NAME;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+
     hc = c->data;
 
     if (arg != NULL) {
-- 
cgit