Skip to content

Commit 7e50d8d

Browse files
nic-6443nic-6443
committed
f
Signed-off-by: Nic <[email protected]>
1 parent 69a5ca0 commit 7e50d8d

File tree

1 file changed

+8
-10
lines changed

1 file changed

+8
-10
lines changed

patch/1.21.4/nginx-sni_restriction.patch

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c
2-
index 013b7158e..0f8e981b5 100644
2+
index 013b7158e..6bac89cf4 100644
33
--- src/http/ngx_http_request.c
44
+++ src/http/ngx_http_request.c
55
@@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
@@ -43,7 +43,7 @@ index 013b7158e..0f8e981b5 100644
4343
c->ssl->buffer_size = sscf->buffer_size;
4444

4545
if (sscf->ssl.ctx) {
46-
@@ -958,6 +981,29 @@ done:
46+
@@ -958,6 +981,27 @@ done:
4747

4848
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
4949

@@ -56,16 +56,14 @@ index 013b7158e..0f8e981b5 100644
5656
+ * is only returned in OpenSSL 1.1.1+ as well
5757
+ */
5858
+
59-
+ if (sscf->verify) {
60-
+ const char *hostname;
59+
+ const char *hostname;
6160
+
62-
+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
61+
+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
6362
+
64-
+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
65-
+ c->ssl->handshake_rejected = 1;
66-
+ *ad = SSL_AD_ACCESS_DENIED;
67-
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
68-
+ }
63+
+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
64+
+ c->ssl->handshake_rejected = 1;
65+
+ *ad = SSL_AD_ACCESS_DENIED;
66+
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
6967
+ }
7068
+
7169
+#endif

0 commit comments

Comments
 (0)