jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Update nginx strict sni. 

Issue: https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
openssl-1.1.1
Hakase 2018-10-04 23:39:24 +09:00
parent d435a2c386
commit 08fded9050
No known key found for this signature in database
GPG Key ID: BB2821A9E0DF48C9
3 changed files with 25 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -109,13 +109,7 @@ Run it from the nginx directory.
``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1``
And then run it from the openssl directory.
``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl_ignore_log_strict-sni.patch | patch -p1``
Finally, build nginx.
Example patch is [here](https://github.com/hakasenyang/nginx-build/blob/master/strict-sni-example.patch). (nginx)
Thanks [@JemmyLoveJenny](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319)!
### nginx OpenSSL-1.1.x Renegotiation Bugfix

30
nginx_strict-sni.patch
View File

@ -1,8 +1,7 @@
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 98cc8c7..0810526 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
--- a/src/http/ngx_http_request.c 2018-09-15 10:02:36.520076032 +0000
+++ b/src/http/ngx_http_request.c 2018-09-15 10:26:32.826874950 +0000
@@ -882,7 +882,7 @@
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
@ -11,7 +10,7 @@ index 98cc8c7..0810526 100644
}
c = ngx_ssl_get_connection(ssl_conn);
@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
@@ -897,7 +897,7 @@
host.len = ngx_strlen(servername);
if (host.len == 0) {
@ -19,8 +18,9 @@ index 98cc8c7..0810526 100644
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
}
host.data = (u_char *) servername;
@@ -879,7 +879,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
@@ -912,7 +912,7 @@
NULL, &cscf)
!= NGX_OK)
{
@ -29,3 +29,21 @@ index 98cc8c7..0810526 100644
}
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c 2018-10-02 15:13:36.414143028 +0000
+++ b/src/event/ngx_event_openssl.c 2018-10-04 13:58:28.756873433 +0000
@@ -1456,6 +1456,13 @@ ngx_ssl_handshake(ngx_connection_t *c)
c->read->error = 1;
+
+ if (sslerr == SSL_ERROR_SSL) {
+ ERR_peek_error();
+ ERR_clear_error();
+ return NGX_ERROR;
+ }
+
ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
return NGX_ERROR;

16
openssl-ignore_log_strict-sni.patch
View File

@ -1,16 +0,0 @@
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 8422161dc1..675446e59f 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -998,7 +998,9 @@ static int final_server_name(SSL *s, unsigned int context, int sent)
switch (ret) {
case SSL_TLSEXT_ERR_ALERT_FATAL:
- SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
+ s->statem.in_init = 1;
+ s->statem.state = MSG_FLOW_ERROR;
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_F_FINAL_RENEGOTIATE);
return 0;
case SSL_TLSEXT_ERR_ALERT_WARNING: