Hello!

On Tue, Aug 22, 2017 at 09:58:32PM +0100, Paulo Pacheco wrote:

> Hi,
>
> Is this patch the right way to do it?
>
> My motivation was this: https://github.com/fooinha/nginx-ssl-ja3

Saving the list of TLS extensions for future use just in case we'll
need it in some 3rd-party module looks suboptimal, so please don't
expected this patch to be merged.

[...]

> @@ -1229,6 +1283,10 @@
>
> ngx_ssl_clear_error(c->log);
>
> +#if OPENSSL_VERSION_NUMBER >= 0x10101000L
> + SSL_CTX_set_early_cb(c->ssl->session_ctx, ngx_SSL_early_cb_fn, c);
> +#endif
> +

Modifications of SSL contexts should be done during configuration,
not at run-time. Instead, you should do this when a context is
configured, somewhere in ngx_http_ssl_merge_srv_conf() after the
ngx_ssl_create() call.

Note well that you can install callback in your own module - this
will be a hack and the code will break if/when nginx will start
using SSL_CTX_set_early_cb() for some reason, but this will allow
your module to work for now without any modifications of nginx
core. This approach should be good enough at least for
experiments.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel