Hi Thomas,

On Thu, Dec 15, 2016 at 05:50:48PM +0100, Thomas Glanzmann wrote:
> Hello Roman,
>
> > You can try logging $ssl_preread_server_name in access_log.
>
> thank you. It seems that nginx is not able to extract the server_name
> from openconnect correctly:
>
> 2a01:598:8181:37ef:95e1:682:4c98:449e - [15/Dec/2016:17:45:57 +0100] ""
>
> When I connect with a browser:
>
> 2a01:598:8181:37ef:95e1:682:4c98:449e - [15/Dec/2016:17:46:20 +0100] "vpn.gmvl.de"
>
> This seems to be one problem. And another problem seems that backend
> communication between nginx and ocserv using the proxy protocol.
>
> Here is tcpdump of the openconnect ssl handshake with nginx:
>
> https://thomas.glanzmann.de/tmp/openconnect_sni.pcap
>
> I'm using the command line 'openconnect vpn.gmvl.de'.

Please try the attached patch.

--
Roman Arutyunyan
# HG changeset patch
# User Roman Arutyunyan <arut@nginx.com>
# Date 1481822378 -10800
# Thu Dec 15 20:19:38 2016 +0300
# Node ID 424e4b3b9c861df69360d2bf7d7efce495c27ea7
# Parent da5604455090c04fbdc2114b9de46a3bb9b30e78
Stream ssl_preread: relaxed SSL version check.

SSL version 3.0 can be specified by the client at the record level for
compatibility reasons. Previously, ssl_preread module rejected such
connections, presuming they don't have SNI. Now SSL 3.0 is allowed at record
level.

diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c
--- a/src/stream/ngx_stream_ssl_preread_module.c
+++ b/src/stream/ngx_stream_ssl_preread_module.c
@@ -142,7 +142,7 @@ ngx_stream_ssl_preread_handler(ngx_strea
return NGX_DECLINED;
}

- if (p[1] != 3 || p[2] == 0) {
+ if (p[1] != 3) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: unsupported SSL version");
return NGX_DECLINED;
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx