mirror of
https://github.com/nginx/nginx.git
synced 2024-12-19 05:33:52 -06:00
SSL: moved c->ssl->handshaked check in server name callback.
Server name callback is always called by OpenSSL, even if server_name extension is not present in ClientHello. As such, checking c->ssl->handshaked before the SSL_get_servername() result should help to more effectively prevent renegotiation in OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS nor SSL_OP_NO_RENEGOTIATION is available.
This commit is contained in:
parent
0808b04c46
commit
0ad4393e30
@ -864,12 +864,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
||||
ngx_http_core_loc_conf_t *clcf;
|
||||
ngx_http_core_srv_conf_t *cscf;
|
||||
|
||||
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
|
||||
|
||||
if (servername == NULL) {
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
}
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
|
||||
if (c->ssl->handshaked) {
|
||||
@ -877,6 +871,12 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
|
||||
|
||||
if (servername == NULL) {
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
}
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
||||
"SSL server name: \"%s\"", servername);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user