From 08fded905022d8fcbca863d977f8343a1d5afeaa Mon Sep 17 00:00:00 2001 From: Hakase Date: Thu, 4 Oct 2018 23:39:24 +0900 Subject: [PATCH] Update nginx strict sni. Issue: https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319 --- README.md | 8 +------- nginx_strict-sni.patch | 30 +++++++++++++++++++++++------ openssl-ignore_log_strict-sni.patch | 16 --------------- 3 files changed, 25 insertions(+), 29 deletions(-) delete mode 100644 openssl-ignore_log_strict-sni.patch diff --git a/README.md b/README.md index de58cfc..c34ec31 100644 --- a/README.md +++ b/README.md @@ -109,13 +109,7 @@ Run it from the nginx directory. ``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/nginx_strict-sni.patch | patch -p1`` -And then run it from the openssl directory. - -``curl https://raw.githubusercontent.com/hakasenyang/openssl-patch/master/openssl_ignore_log_strict-sni.patch | patch -p1`` - -Finally, build nginx. - -Example patch is [here](https://github.com/hakasenyang/nginx-build/blob/master/strict-sni-example.patch). (nginx) +Thanks [@JemmyLoveJenny](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319)! ### nginx OpenSSL-1.1.x Renegotiation Bugfix diff --git a/nginx_strict-sni.patch b/nginx_strict-sni.patch index fc5d715..a0a6ba1 100644 --- a/nginx_strict-sni.patch +++ b/nginx_strict-sni.patch @@ -1,8 +1,7 @@ diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c -index 98cc8c7..0810526 100644 ---- a/src/http/ngx_http_request.c -+++ b/src/http/ngx_http_request.c -@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +--- a/src/http/ngx_http_request.c 2018-09-15 10:02:36.520076032 +0000 ++++ b/src/http/ngx_http_request.c 2018-09-15 10:26:32.826874950 +0000 +@@ -882,7 +882,7 @@ servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); if (servername == NULL) { @@ -11,7 +10,7 @@ index 98cc8c7..0810526 100644 } c = ngx_ssl_get_connection(ssl_conn); -@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +@@ -897,7 +897,7 @@ host.len = ngx_strlen(servername); if (host.len == 0) { @@ -19,8 +18,9 @@ index 98cc8c7..0810526 100644 + return SSL_TLSEXT_ERR_ALERT_FATAL; } + host.data = (u_char *) servername; -@@ -879,7 +879,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +@@ -912,7 +912,7 @@ NULL, &cscf) != NGX_OK) { @@ -29,3 +29,21 @@ index 98cc8c7..0810526 100644 } hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c 2018-10-02 15:13:36.414143028 +0000 ++++ b/src/event/ngx_event_openssl.c 2018-10-04 13:58:28.756873433 +0000 +@@ -1456,6 +1456,13 @@ ngx_ssl_handshake(ngx_connection_t *c) + + c->read->error = 1; + ++ ++ if (sslerr == SSL_ERROR_SSL) { ++ ERR_peek_error(); ++ ERR_clear_error(); ++ return NGX_ERROR; ++ } ++ + ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); + + return NGX_ERROR; diff --git a/openssl-ignore_log_strict-sni.patch b/openssl-ignore_log_strict-sni.patch deleted file mode 100644 index 88315f5..0000000 --- a/openssl-ignore_log_strict-sni.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c -index 8422161dc1..675446e59f 100644 ---- a/ssl/statem/extensions.c -+++ b/ssl/statem/extensions.c -@@ -998,7 +998,9 @@ static int final_server_name(SSL *s, unsigned int context, int sent) - - switch (ret) { - case SSL_TLSEXT_ERR_ALERT_FATAL: -- SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED); -+ s->statem.in_init = 1; -+ s->statem.state = MSG_FLOW_ERROR; -+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_F_FINAL_RENEGOTIATE); - return 0; - - case SSL_TLSEXT_ERR_ALERT_WARNING: -