details: https://hg.nginx.org/nginx/rev/7e8bcba6d039
branches:
changeset: 7471:7e8bcba6d039
user: Maxim Dounin <mdounin@mdounin.ru>
date: Sun Mar 03 16:47:44 2019 +0300
description:
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.
Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.
To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
diffstat:
src/http/ngx_http_request.c | 12 ++++++------
src/stream/ngx_stream_ssl_module.c | 19 +++++++++++++++++++
2 files changed, 25 insertions(+), 6 deletions(-)
diffs (93 lines):
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -866,13 +866,13 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_OK;
}
c = ngx_ssl_get_connection(ssl_conn);
if (c->ssl->handshaked) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_OK;
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
@@ -881,13 +881,13 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
host.len = ngx_strlen(servername);
if (host.len == 0) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_OK;
}
host.data = (u_char *) servername;
if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_OK;
}
hc = c->data;
@@ -896,12 +896,12 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
NULL, &cscf)
!= NGX_OK)
{
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_OK;
}
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
if (hc->ssl_servername == NULL) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_OK;
}
*hc->ssl_servername = host;
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -22,6 +22,9 @@ static ngx_int_t ngx_stream_ssl_handler(
static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl,
ngx_connection_t *c);
static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c);
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
+#endif
#ifdef SSL_R_CERT_CB_ERROR
static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg);
#endif
@@ -414,6 +417,17 @@ ngx_stream_ssl_handshake_handler(ngx_con
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+
+int
+ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+{
+ return SSL_TLSEXT_ERR_OK;
+}
+
+#endif
+
+
#ifdef SSL_R_CERT_CB_ERROR
int
@@ -682,6 +696,11 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
+ ngx_stream_ssl_servername);
+#endif
+
if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
