git.kaiwu.me - nginx.git/commit

]> git.kaiwu.me - nginx.git/commit

projects / nginx.git / commit

summary | shortlog | log | commit | commitdiff | tree
(parent: 95f9116) | patch

author	Sergey Kandaurov <pluknet@nginx.com>
	Wed, 22 Jan 2025 14:55:44 +0000 (18:55 +0400)
committer	pluknet <pluknet@nginx.com>
	Wed, 5 Feb 2025 16:40:47 +0000 (20:40 +0400)
commit	13935cf9fdc3c8d8278c70716417d3b71c36140e
tree	63193caa4a11d641e1416993d6d0ba35bf02292e	tree \| snapshot
parent	95f9116128dfe531b054e740cfc4b10a3a1f58d5	commit \| diff

SNI: added restriction for TLSv1.3 cross-SNI session resumption.

In OpenSSL, session resumption always happens in the default SSL context,
prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older
protocols, SSL_get_servername() returns values received in the resumption
handshake, which may be different from the value in the initial handshake.
Notably, this makes the restriction added in b720f650b insufficient for
sessions resumed with different SNI server name.

Considering the example from b720f650b, previously, a client was able to
request example.org by presenting a certificate for example.org, then to
resume and request example.com.

The fix is to reject handshakes resumed with a different server name, if
verification of client certificates is enabled in a corresponding server
configuration.

src/http/ngx_http_request.c		diff \| blob \| history
src/stream/ngx_stream_ssl_module.c		diff \| blob \| history

nginx upstream