diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2019-03-03 16:47:44 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2019-03-03 16:47:44 +0300 |
| commit | fd97b2a80f678b9bf372d9a6537e5d4db51188ae (patch) | |
| tree | c85542d597fa6e84674bb90237a9523ee7ec65cf /src/http/ngx_http_request.c | |
| parent | 4e0c46cfe12ad57e312a83b689ef1a7cf94dcd3d (diff) | |
| download | nginx-fd97b2a80f678b9bf372d9a6537e5d4db51188ae.tar.gz nginx-fd97b2a80f678b9bf372d9a6537e5d4db51188ae.zip | |
SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.
Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.
To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
Diffstat (limited to 'src/http/ngx_http_request.c')
| -rw-r--r-- | src/http/ngx_http_request.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 40973b2e2..9cdc4a543 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -866,13 +866,13 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); if (servername == NULL) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } c = ngx_ssl_get_connection(ssl_conn); if (c->ssl->handshaked) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, @@ -881,13 +881,13 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) host.len = ngx_strlen(servername); if (host.len == 0) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } host.data = (u_char *) servername; if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } hc = c->data; @@ -896,12 +896,12 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) NULL, &cscf) != NGX_OK) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); if (hc->ssl_servername == NULL) { - return SSL_TLSEXT_ERR_NOACK; + return SSL_TLSEXT_ERR_OK; } *hc->ssl_servername = host; |