f

Signed-off-by: Nic <[email protected]>

Author: nic-6443

patch/1.21.4/nginx-sni_restriction.patch

@@ -1,5 +1,5 @@
 diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c
-index 013b7158e..d5ac3d415 100644
+index 013b7158e..0f8e981b5 100644
 --- src/http/ngx_http_request.c
 +++ src/http/ngx_http_request.c
 @@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
@@ -43,3 +43,33 @@ index 013b7158e..d5ac3d415 100644
      c->ssl->buffer_size = sscf->buffer_size;
 
      if (sscf->ssl.ctx) {
+@@ -958,6 +981,29 @@ done:
+ 
+     sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+ 
++#if (defined TLS1_3_VERSION                                                   \
++     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
++
++    /*
++     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
++     * but servername being negotiated in every TLSv1.3 handshake
++     * is only returned in OpenSSL 1.1.1+ as well
++     */
++
++    if (sscf->verify) {
++        const char  *hostname;
++
++        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
++
++        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
++            c->ssl->handshake_rejected = 1;
++            *ad = SSL_AD_ACCESS_DENIED;
++            return SSL_TLSEXT_ERR_ALERT_FATAL;
++        }
++    }
++
++#endif
++
+     if (sscf->reject_handshake) {
+         c->ssl->handshake_rejected = 1;
+         *ad = SSL_AD_UNRECOGNIZED_NAME;