IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-26 00:41:02 -06:00
Code Issues Packages Projects Releases Wiki Activity

SSL: server name callback changed to return fatal errors.

Browse Source 
Notably this affects various allocation errors, and should generally
improve things if an allocation error actually happens during a callback.

Depending on the OpenSSL version, returning an error can result in
either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from
SSL_do_handshake(), so both errors were switched to the "info" level.
This commit is contained in:
Maxim Dounin 2019-03-03 16:48:06 +03:00
parent fd97b2a80f
commit 99d7bb6909
2 changed files with 28 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/event/ngx_event_openssl.c
View File

@ -2855,8 +2855,14 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|| n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
|| n == SSL_R_NO_SHARED_CIPHER /* 193 */ || n == SSL_R_NO_SHARED_CIPHER /* 193 */
|| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
#ifdef SSL_R_CLIENTHELLO_TLSEXT
|| n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */
#endif
#ifdef SSL_R_PARSE_TLSEXT #ifdef SSL_R_PARSE_TLSEXT
|| n == SSL_R_PARSE_TLSEXT /* 227 */ || n == SSL_R_PARSE_TLSEXT /* 227 */
#endif
#ifdef SSL_R_CALLBACK_FAILED
|| n == SSL_R_CALLBACK_FAILED /* 234 */
#endif #endif
|| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
|| n == SSL_R_UNEXPECTED_RECORD /* 245 */ || n == SSL_R_UNEXPECTED_RECORD /* 245 */

29
src/http/ngx_http_request.c
View File

@ -855,6 +855,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
int int
ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
{ {
ngx_int_t rc;
ngx_str_t host; ngx_str_t host;
const char *servername; const char *servername;
ngx_connection_t *c; ngx_connection_t *c;
@ -872,7 +873,8 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
c = ngx_ssl_get_connection(ssl_conn); c = ngx_ssl_get_connection(ssl_conn);
if (c->ssl->handshaked) { if (c->ssl->handshaked) {
return SSL_TLSEXT_ERR_OK; *ad = SSL_AD_NO_RENEGOTIATION;
return SSL_TLSEXT_ERR_ALERT_FATAL;
} }
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
@ -886,22 +888,35 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
host.data = (u_char *) servername; host.data = (u_char *) servername;
if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { rc = ngx_http_validate_host(&host, c->pool, 1);
if (rc == NGX_ERROR) {
*ad = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
if (rc == NGX_DECLINED) {
return SSL_TLSEXT_ERR_OK; return SSL_TLSEXT_ERR_OK;
} }
hc = c->data; hc = c->data;
if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
NULL, &cscf) NULL, &cscf);
!= NGX_OK)
{ if (rc == NGX_ERROR) {
*ad = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
if (rc == NGX_DECLINED) {
return SSL_TLSEXT_ERR_OK; return SSL_TLSEXT_ERR_OK;
} }
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
if (hc->ssl_servername == NULL) { if (hc->ssl_servername == NULL) {
return SSL_TLSEXT_ERR_OK; *ad = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
} }
*hc->ssl_servername = host; *hc->ssl_servername = host;