Klaus Demo nginx / 0ad4393
SSL: moved c->ssl->handshaked check in server name callback. Server name callback is always called by OpenSSL, even if server_name extension is not present in ClientHello. As such, checking c->ssl->handshaked before the SSL_get_servername() result should help to more effectively prevent renegotiation in OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS nor SSL_OP_NO_RENEGOTIATION is available. Maxim Dounin 3 years ago
1 changed file(s) with 6 addition(s) and 6 deletion(s). Raw diff Collapse all Expand all
863863 ngx_http_core_loc_conf_t *clcf;
864864 ngx_http_core_srv_conf_t *cscf;
865865
866 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
867
868 if (servername == NULL) {
869 return SSL_TLSEXT_ERR_OK;
870 }
871
872866 c = ngx_ssl_get_connection(ssl_conn);
873867
874868 if (c->ssl->handshaked) {
875869 *ad = SSL_AD_NO_RENEGOTIATION;
876870 return SSL_TLSEXT_ERR_ALERT_FATAL;
871 }
872
873 servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
874
875 if (servername == NULL) {
876 return SSL_TLSEXT_ERR_OK;
877877 }
878878
879879 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,