details: https://hg.nginx.org/nginx/rev/49f9d2f7d887
branches:
changeset: 7475:49f9d2f7d887
user: Maxim Dounin <mdounin@mdounin.ru>
date: Tue Mar 05 16:34:19 2019 +0300
description:
SSL: moved c->ssl->handshaked check in server name callback.

Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello. As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.

diffstat:

src/http/ngx_http_request.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)

diffs (29 lines):

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -864,12 +864,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
ngx_http_core_loc_conf_t *clcf;
ngx_http_core_srv_conf_t *cscf;

- servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
-
- if (servername == NULL) {
- return SSL_TLSEXT_ERR_OK;
- }
-
c = ngx_ssl_get_connection(ssl_conn);

if (c->ssl->handshaked) {
@@ -877,6 +871,12 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
return SSL_TLSEXT_ERR_ALERT_FATAL;
}

+ servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
+
+ if (servername == NULL) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
"SSL server name: \"%s\"", servername);

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel