Klaus Demo nginx / 99d7bb6
SSL: server name callback changed to return fatal errors. Notably this affects various allocation errors, and should generally improve things if an allocation error actually happens during a callback. Depending on the OpenSSL version, returning an error can result in either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from SSL_do_handshake(), so both errors were switched to the "info" level. Maxim Dounin 1 year, 8 months ago
2 changed file(s) with 28 addition(s) and 7 deletion(s). Raw diff Collapse all Expand all
28542854 || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
28552855 || n == SSL_R_NO_SHARED_CIPHER /* 193 */
28562856 || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
2857 #ifdef SSL_R_CLIENTHELLO_TLSEXT
2858 || n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */
2859 #endif
28572860 #ifdef SSL_R_PARSE_TLSEXT
28582861 || n == SSL_R_PARSE_TLSEXT /* 227 */
2862 #endif
2863 #ifdef SSL_R_CALLBACK_FAILED
2864 || n == SSL_R_CALLBACK_FAILED /* 234 */
28592865 #endif
28602866 || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
28612867 || n == SSL_R_UNEXPECTED_RECORD /* 245 */
854854 int
855855 ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
856856 {
857 ngx_int_t rc;
857858 ngx_str_t host;
858859 const char *servername;
859860 ngx_connection_t *c;
871872 c = ngx_ssl_get_connection(ssl_conn);
872873
873874 if (c->ssl->handshaked) {
874 return SSL_TLSEXT_ERR_OK;
875 *ad = SSL_AD_NO_RENEGOTIATION;
876 return SSL_TLSEXT_ERR_ALERT_FATAL;
875877 }
876878
877879 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
885887
886888 host.data = (u_char *) servername;
887889
888 if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) {
890 rc = ngx_http_validate_host(&host, c->pool, 1);
891
892 if (rc == NGX_ERROR) {
893 *ad = SSL_AD_INTERNAL_ERROR;
894 return SSL_TLSEXT_ERR_ALERT_FATAL;
895 }
896
897 if (rc == NGX_DECLINED) {
889898 return SSL_TLSEXT_ERR_OK;
890899 }
891900
892901 hc = c->data;
893902
894 if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
895 NULL, &cscf)
896 != NGX_OK)
897 {
903 rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
904 NULL, &cscf);
905
906 if (rc == NGX_ERROR) {
907 *ad = SSL_AD_INTERNAL_ERROR;
908 return SSL_TLSEXT_ERR_ALERT_FATAL;
909 }
910
911 if (rc == NGX_DECLINED) {
898912 return SSL_TLSEXT_ERR_OK;
899913 }
900914
901915 hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
902916 if (hc->ssl_servername == NULL) {
903 return SSL_TLSEXT_ERR_OK;
917 *ad = SSL_AD_INTERNAL_ERROR;
918 return SSL_TLSEXT_ERR_ALERT_FATAL;
904919 }
905920
906921 *hc->ssl_servername = host;