diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2019-03-05 16:34:19 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2019-03-05 16:34:19 +0300 |
| commit | 0ad4393e30c119d250415cb769e3d8bc8dce5186 (patch) | |
| tree | aeb76719875f586c250d1d44e2fed066a99e988a | |
| parent | 0808b04c4690354aab43e0cdfe49588abb942e8c (diff) | |
| download | nginx-0ad4393e30c119d250415cb769e3d8bc8dce5186.tar.gz nginx-0ad4393e30c119d250415cb769e3d8bc8dce5186.zip | |
SSL: moved c->ssl->handshaked check in server name callback.
Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello. As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.
| -rw-r--r-- | src/http/ngx_http_request.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index d87e872bf..80c19656f 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -864,12 +864,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) ngx_http_core_loc_conf_t *clcf; ngx_http_core_srv_conf_t *cscf; - servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); - - if (servername == NULL) { - return SSL_TLSEXT_ERR_OK; - } - c = ngx_ssl_get_connection(ssl_conn); if (c->ssl->handshaked) { @@ -877,6 +871,12 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) return SSL_TLSEXT_ERR_ALERT_FATAL; } + servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); + + if (servername == NULL) { + return SSL_TLSEXT_ERR_OK; + } + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL server name: \"%s\"", servername); |