openssl-patch/nginx_strict-sni.patch

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 75129134..d0b926fe 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2547,6 +2547,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
     char *text)
 {
     int         n;
+    int         f;
     ngx_uint_t  level;
 
     level = NGX_LOG_CRIT;
@@ -2582,6 +2583,17 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
     } else if (sslerr == SSL_ERROR_SSL) {
 
         n = ERR_GET_REASON(ERR_peek_error());
+        f = ERR_GET_FUNC(ERR_peek_error());
+
+        /* Strict SNI Error Patch
+         * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
+         */
+        if (n == SSL_R_CALLBACK_FAILED
+            && f == SSL_F_FINAL_SERVER_NAME) {
+            ERR_peek_error();
+            ERR_clear_error();
+            return;
+        }
 
             /* handshake failures */
         if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC                        /*  103 */
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 7dd28b8c..5e5bbed1 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
 
     if (servername == NULL) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     c = ngx_ssl_get_connection(ssl_conn);
@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     host.len = ngx_strlen(servername);
 
     if (host.len == 0) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     host.data = (u_char *) servername;
@@ -879,7 +879,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
                                      NULL, &cscf)
         != NGX_OK)
     {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c`
			`index 75129134..d0b926fe 100644`
			`--- a/src/event/ngx_event_openssl.c`
			`+++ b/src/event/ngx_event_openssl.c`
			`@@ -2547,6 +2547,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,`
			`char *text)`
			`{`
			`int n;`
			`+ int f;`
			`ngx_uint_t level;`
Add Strict-SNI Thanks @JemmyLoveJenny Issue link : https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872 2018-09-15 12:10:17 +00:00
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`level = NGX_LOG_CRIT;`
			`@@ -2582,6 +2583,17 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,`
			`} else if (sslerr == SSL_ERROR_SSL) {`
Add Strict-SNI Thanks @JemmyLoveJenny Issue link : https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872 2018-09-15 12:10:17 +00:00
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`n = ERR_GET_REASON(ERR_peek_error());`
			`+ f = ERR_GET_FUNC(ERR_peek_error());`
Update nginx strict sni. Issue: https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319 2018-10-04 14:39:24 +00:00			`+`
Update nginx strict sni patch. 2018-10-07 10:43:09 +00:00			`+ /* Strict SNI Error Patch`
			`+ * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319`
			`+ */`
			`+ if (n == SSL_R_CALLBACK_FAILED`
			`+ && f == SSL_F_FINAL_SERVER_NAME) {`
			`+ ERR_peek_error();`
			`+ ERR_clear_error();`
			`+ return;`
			`+ }`

			`/* handshake failures */`
			`if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */`
Fix some missing sources. Issue: https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427643975 2018-10-07 10:58:10 +00:00			`diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c`
			`index 7dd28b8c..5e5bbed1 100644`
			`--- a/src/http/ngx_http_request.c`
			`+++ b/src/http/ngx_http_request.c`
			`@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t ssl_conn, int ad, void *arg)`
			`servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);`

			`if (servername == NULL) {`
			`- return SSL_TLSEXT_ERR_NOACK;`
			`+ return SSL_TLSEXT_ERR_ALERT_FATAL;`
			`}`

			`c = ngx_ssl_get_connection(ssl_conn);`
			`@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t ssl_conn, int ad, void *arg)`
			`host.len = ngx_strlen(servername);`

			`if (host.len == 0) {`
			`- return SSL_TLSEXT_ERR_NOACK;`
			`+ return SSL_TLSEXT_ERR_ALERT_FATAL;`
			`}`

			`host.data = (u_char *) servername;`
			`@@ -879,7 +879,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t ssl_conn, int ad, void *arg)`
			`NULL, &cscf)`
			`!= NGX_OK)`
			`{`
			`- return SSL_TLSEXT_ERR_NOACK;`
			`+ return SSL_TLSEXT_ERR_ALERT_FATAL;`
			`}`

			`hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));`