Skip to content

Commit 9f39eac

Browse files
nic-6443nic-6443
committed
f
Signed-off-by: Nic <[email protected]>
1 parent 7e50d8d commit 9f39eac

File tree

1 file changed

+5
-46
lines changed

1 file changed

+5
-46
lines changed

patch/1.21.4/nginx-sni_restriction.patch

Lines changed: 5 additions & 46 deletions
Original file line numberDiff line numberDiff line change
@@ -1,52 +1,11 @@
11
diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c
2-
index 013b7158e..6bac89cf4 100644
2+
index 013b7158e..1d1c4968c 100644
33
--- src/http/ngx_http_request.c
44
+++ src/http/ngx_http_request.c
5-
@@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
5+
@@ -898,6 +898,27 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
66
goto done;
77
}
88

9-
+ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
10-
+
11-
+#if (defined TLS1_3_VERSION \
12-
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
13-
+
14-
+ /*
15-
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
16-
+ * but servername being negotiated in every TLSv1.3 handshake
17-
+ * is only returned in OpenSSL 1.1.1+ as well
18-
+ */
19-
+
20-
+ if (sscf->verify) {
21-
+ const char *hostname;
22-
+
23-
+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
24-
+
25-
+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
26-
+ c->ssl->handshake_rejected = 1;
27-
+ *ad = SSL_AD_ACCESS_DENIED;
28-
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
29-
+ }
30-
+ }
31-
+
32-
+#endif
33-
+
34-
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
35-
if (hc->ssl_servername == NULL) {
36-
goto error;
37-
@@ -922,8 +947,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
38-
39-
ngx_set_connection_log(c, clcf->error_log);
40-
41-
- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
42-
-
43-
c->ssl->buffer_size = sscf->buffer_size;
44-
45-
if (sscf->ssl.ctx) {
46-
@@ -958,6 +981,27 @@ done:
47-
48-
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
49-
509
+#if (defined TLS1_3_VERSION \
5110
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
5211
+
@@ -68,6 +27,6 @@ index 013b7158e..6bac89cf4 100644
6827
+
6928
+#endif
7029
+
71-
if (sscf->reject_handshake) {
72-
c->ssl->handshake_rejected = 1;
73-
*ad = SSL_AD_UNRECOGNIZED_NAME;
30+
rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
31+
NULL, &cscf);
32+

0 commit comments

Comments
 (0)