From 30f623740082f0c4594d03250bd48997c500d289 Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Sun, 3 Mar 2019 16:47:44 +0300 Subject: [PATCH] SSL: server name callback changed to return SSL_TLSEXT_ERR_OK. OpenSSL 1.1.1 does not save server name to the session if server name callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking the $ssl_server_name variable in resumed sessions. Since $ssl_server_name can be used even if we've selected the default server and there are no other servers, it looks like the only viable solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual result. To fix things in the stream module as well, added a dummy server name callback which always returns SSL_TLSEXT_ERR_OK. --- src/http/ngx_http_request.c | 12 ++++++------ src/stream/ngx_stream_ssl_module.c | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 40973b2e2..9cdc4a543 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -866,13 +866,13 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); if (servername == NULL) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } c = ngx_ssl_get_connection(ssl_conn); if (c->ssl->handshaked) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, @@ -881,13 +881,13 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) host.len = ngx_strlen(servername); if (host.len == 0) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } host.data = (u_char *) servername; if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } hc = c->data; @@ -896,12 +896,12 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) NULL, &cscf) != NGX_OK) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); if (hc->ssl_servername == NULL) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } *hc->ssl_servername = host; diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c index 9266e99aa..b099a805a 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -22,6 +22,9 @@ static ngx_int_t ngx_stream_ssl_handler(ngx_stream_session_t *s); static ngx_int_t ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c); static void ngx_stream_ssl_handshake_handler(ngx_connection_t *c); +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +int ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); +#endif #ifdef SSL_R_CERT_CB_ERROR static int ngx_stream_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg); #endif @@ -414,6 +417,17 @@ ngx_stream_ssl_handshake_handler(ngx_connection_t *c) } +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + +int +ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +{ + return SSL_TLSEXT_ERR_OK; +} + +#endif + + #ifdef SSL_R_CERT_CB_ERROR int @@ -682,6 +696,11 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child) cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx, + ngx_stream_ssl_servername); +#endif + if (ngx_stream_ssl_compile_certificates(cf, conf) != NGX_OK) { return NGX_CONF_ERROR; }