SSL: moved c->ssl->handshaked check in server name callback.
Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello. As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.
Maxim Dounin
3 years ago
| 863 | 863 | ngx_http_core_loc_conf_t *clcf; |
| 864 | 864 | ngx_http_core_srv_conf_t *cscf; |
| 865 | 865 | |
| 866 | servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); | |
| 867 | ||
| 868 | if (servername == NULL) { | |
| 869 | return SSL_TLSEXT_ERR_OK; | |
| 870 | } | |
| 871 | ||
| 872 | 866 | c = ngx_ssl_get_connection(ssl_conn); |
| 873 | 867 | |
| 874 | 868 | if (c->ssl->handshaked) { |
| 875 | 869 | *ad = SSL_AD_NO_RENEGOTIATION; |
| 876 | 870 | return SSL_TLSEXT_ERR_ALERT_FATAL; |
| 871 | } | |
| 872 | ||
| 873 | servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); | |
| 874 | ||
| 875 | if (servername == NULL) { | |
| 876 | return SSL_TLSEXT_ERR_OK; | |
| 877 | 877 | } |
| 878 | 878 | |
| 879 | 879 | ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, |