Merged with the default branch.

author: Sergey Kandaurov <pluknet@nginx.com> 2020-10-29 14:53:58 +0000
committer: Sergey Kandaurov <pluknet@nginx.com> 2020-10-29 14:53:58 +0000
commit: 6f73d24061261884b1c2191629d4f1ced8740d82 (patch)
tree: 883780cf53de409e2ccbd93b8ec4d7e2c566a20e /src/http/ngx_http_request.c
parent: c3e8e59a55c4bd144dec6ca1c55f06f8d509ec50 (diff)
parent: db65797133842f3f632460e6a00f5f0ac901cd5f (diff)
download: nginx-6f73d24061261884b1c2191629d4f1ced8740d82.tar.gz
nginx-6f73d24061261884b1c2191629d4f1ced8740d82.zip
1 files changed, 27 insertions, 14 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index e33a3038f..f33555687 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -927,10 +927,14 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
         return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
+    hc = c->data;
+
     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
 
     if (servername == NULL) {
-        return SSL_TLSEXT_ERR_OK;
+        ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                       "SSL server name: null");
+        goto done;
     }
 
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
@@ -939,7 +943,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     host.len = ngx_strlen(servername);
 
     if (host.len == 0) {
-        return SSL_TLSEXT_ERR_OK;
+        goto done;
     }
 
     host.data = (u_char *) servername;
@@ -947,32 +951,27 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     rc = ngx_http_validate_host(&host, c->pool, 1);
 
     if (rc == NGX_ERROR) {
-        *ad = SSL_AD_INTERNAL_ERROR;
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
+        goto error;
     }
 
     if (rc == NGX_DECLINED) {
-        return SSL_TLSEXT_ERR_OK;
+        goto done;
     }
 
-    hc = c->data;
-
     rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
                                       NULL, &cscf);
 
     if (rc == NGX_ERROR) {
-        *ad = SSL_AD_INTERNAL_ERROR;
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
+        goto error;
     }
 
     if (rc == NGX_DECLINED) {
-        return SSL_TLSEXT_ERR_OK;
+        goto done;
     }
 
     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
     if (hc->ssl_servername == NULL) {
-        *ad = SSL_AD_INTERNAL_ERROR;
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
+        goto error;
     }
 
     *hc->ssl_servername = host;
@@ -989,8 +988,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
 
     if (sscf->ssl.ctx) {
         if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
-            *ad = SSL_AD_INTERNAL_ERROR;
-            return SSL_TLSEXT_ERR_ALERT_FATAL;
+            goto error;
         }
 
         /*
@@ -1016,7 +1014,22 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
 #endif
     }
 
+done:
+
+    sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+
+    if (sscf->reject_handshake) {
+        c->ssl->handshake_rejected = 1;
+        *ad = SSL_AD_UNRECOGNIZED_NAME;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+
     return SSL_TLSEXT_ERR_OK;
+
+error:
+
+    *ad = SSL_AD_INTERNAL_ERROR;
+    return SSL_TLSEXT_ERR_ALERT_FATAL;
 }
 
 #endif
author	Sergey Kandaurov <pluknet@nginx.com>	2020-10-29 14:53:58 +0000
committer	Sergey Kandaurov <pluknet@nginx.com>	2020-10-29 14:53:58 +0000
commit	6f73d24061261884b1c2191629d4f1ced8740d82 (patch)
tree	883780cf53de409e2ccbd93b8ec4d7e2c566a20e /src/http/ngx_http_request.c
parent	c3e8e59a55c4bd144dec6ca1c55f06f8d509ec50 (diff)
parent	db65797133842f3f632460e6a00f5f0ac901cd5f (diff)
download	nginx-6f73d24061261884b1c2191629d4f1ced8740d82.tar.gz nginx-6f73d24061261884b1c2191629d4f1ced8740d82.zip