From f965e358b6ca878ead629dffb2f0df57230995ea Mon Sep 17 00:00:00 2001
From: Andrey Suvorov <a.suvorov@f5.com>
Date: Thu, 22 Jul 2021 11:23:48 -0700
Subject: Changing SNI callback return code if a client sends no SNI.

When a client sends no SNI is a common situation.  But currently the server
processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing
termination of a current TLS session.  The problem occurs if configuration has
more than one certificate bundle in a listener.

This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a
message.
---
 docs/changes.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'docs')

diff --git a/docs/changes.xml b/docs/changes.xml
index 2aa9bb65..634bf9cd 100644
--- a/docs/changes.xml
+++ b/docs/changes.xml
@@ -43,6 +43,14 @@ process and thread lifecycle hooks in Ruby.
 </para>
 </change>
 
+<change type="bugfix">
+<para>
+TLS connection was rejected for configuration with more than one
+certificate bundle in a listener if a client did not use SNI.
+</para>
+</change>
+
+
 <change type="bugfix">
 <para>
 the router process could crash on TLS connection open when multiple listeners
-- 
cgit