From f965e358b6ca878ead629dffb2f0df57230995ea Mon Sep 17 00:00:00 2001
From: Andrey Suvorov <a.suvorov@f5.com>
Date: Thu, 22 Jul 2021 11:23:48 -0700
Subject: Changing SNI callback return code if a client sends no SNI.

When a client sends no SNI is a common situation.  But currently the server
processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing
termination of a current TLS session.  The problem occurs if configuration has
more than one certificate bundle in a listener.

This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a
message.
---
 src/nxt_openssl.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index 3b5d4fda..297e11cf 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -804,15 +804,15 @@ nxt_openssl_servername(SSL *s, int *ad, void *arg)
     }
 
     servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
-    if (nxt_slow_path(servername == NULL)) {
-        nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned "
-                                               "NULL in server name callback");
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
+
+    if (servername == NULL) {
+        nxt_debug(c->socket.task, "SSL_get_servername(): NULL");
+        goto done;
     }
 
     str.length = nxt_strlen(servername);
     if (str.length == 0) {
-        nxt_debug(c->socket.task, "client sent zero-length server name");
+        nxt_debug(c->socket.task, "SSL_get_servername(): \"\" is empty");
         goto done;
     }
 
-- 
cgit