Commit 99d7bb690924e60e9e03096ac5e507111f7c182d - nginx

SSL: server name callback changed to return fatal errors. Notably this affects various allocation errors, and should generally improve things if an allocation error actually happens during a callback. Depending on the OpenSSL version, returning an error can result in either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from SSL_do_handshake(), so both errors were switched to the "info" level. Maxim Dounin 3 years ago

2 changed file(s) with 28 addition(s) and 7 deletion(s). Raw diff Collapse all Expand all

-0

src/event/ngx_event_openssl.c less more

2854	2854	\|\| n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
2855	2855	\|\| n == SSL_R_NO_SHARED_CIPHER /* 193 */
2856	2856	\|\| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
	2857	#ifdef SSL_R_CLIENTHELLO_TLSEXT
	2858	\|\| n == SSL_R_CLIENTHELLO_TLSEXT /* 226 */
	2859	#endif
2857	2860	#ifdef SSL_R_PARSE_TLSEXT
2858	2861	\|\| n == SSL_R_PARSE_TLSEXT /* 227 */
	2862	#endif
	2863	#ifdef SSL_R_CALLBACK_FAILED
	2864	\|\| n == SSL_R_CALLBACK_FAILED /* 234 */
2859	2865	#endif
2860	2866	\|\| n == SSL_R_UNEXPECTED_MESSAGE /* 244 */
2861	2867	\|\| n == SSL_R_UNEXPECTED_RECORD /* 245 */

+22

-7

src/http/ngx_http_request.c less more

854	854	int
855	855	ngx_http_ssl_servername(ngx_ssl_conn_t ssl_conn, int ad, void *arg)
856	856	{
	857	ngx_int_t rc;
857	858	ngx_str_t host;
858	859	const char *servername;
859	860	ngx_connection_t *c;

871	872	c = ngx_ssl_get_connection(ssl_conn);
872	873
873	874	if (c->ssl->handshaked) {
874		return SSL_TLSEXT_ERR_OK;
	875	*ad = SSL_AD_NO_RENEGOTIATION;
	876	return SSL_TLSEXT_ERR_ALERT_FATAL;
875	877	}
876	878
877	879	ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,

885	887
886	888	host.data = (u_char *) servername;
887	889
888		if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) {
	890	rc = ngx_http_validate_host(&host, c->pool, 1);
	891
	892	if (rc == NGX_ERROR) {
	893	*ad = SSL_AD_INTERNAL_ERROR;
	894	return SSL_TLSEXT_ERR_ALERT_FATAL;
	895	}
	896
	897	if (rc == NGX_DECLINED) {
889	898	return SSL_TLSEXT_ERR_OK;
890	899	}
891	900
892	901	hc = c->data;
893	902
894		if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
895		NULL, &cscf)
896		!= NGX_OK)
897		{
	903	rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
	904	NULL, &cscf);
	905
	906	if (rc == NGX_ERROR) {
	907	*ad = SSL_AD_INTERNAL_ERROR;
	908	return SSL_TLSEXT_ERR_ALERT_FATAL;
	909	}
	910
	911	if (rc == NGX_DECLINED) {
898	912	return SSL_TLSEXT_ERR_OK;
899	913	}
900	914
901	915	hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
902	916	if (hc->ssl_servername == NULL) {
903		return SSL_TLSEXT_ERR_OK;
	917	*ad = SSL_AD_INTERNAL_ERROR;
	918	return SSL_TLSEXT_ERR_ALERT_FATAL;
904	919	}
905	920
906	921	*hc->ssl_servername = host;