jinql
/
openssl-patch
mirror of https://github.com/hakasenyang/openssl-patch
1
0
Fork 0
Code Issues Releases Wiki Activity

Compatibility patch between nginx strict sni and BoringSSL.

openssl-1.1.1
Hakase 2018-10-07 21:56:53 +09:00
parent 4ddf4e3fc0
commit 5a684e86c1
No known key found for this signature in database
GPG Key ID: BB2821A9E0DF48C9
1 changed files with 37 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
nginx_strict-sni.patch
View File

@ -1,22 +1,55 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 75129134..4b4821bd 100644
index 75129134..a41edeab 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2547,6 +2547,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
@@ -1455,6 +1455,14 @@ ngx_ssl_handshake(ngx_connection_t *c)
c->read->error = 1;
+#if (!defined SSL_R_CALLBACK_FAILED || !defined SSL_F_FINAL_SERVER_NAME)
+ if (sslerr == SSL_ERROR_SSL) {
+ ERR_peek_error();
+ ERR_clear_error();
+ return NGX_ERROR;
+ }
+#endif
+
ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
return NGX_ERROR;
@@ -1568,6 +1576,14 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
c->read->error = 1;
+#if (!defined SSL_R_CALLBACK_FAILED || !defined SSL_F_FINAL_SERVER_NAME)
+ if (sslerr == SSL_ERROR_SSL) {
+ ERR_peek_error();
+ ERR_clear_error();
+ return NGX_ERROR;
+ }
+#endif
+
ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");
return NGX_ERROR;
@@ -2547,6 +2563,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
char *text)
{
int n;
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+ int f;
+#endif
ngx_uint_t level;
level = NGX_LOG_CRIT;
@@ -2583,6 +2584,18 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
@@ -2583,6 +2602,20 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
n = ERR_GET_REASON(ERR_peek_error());
+ /* Strict SNI Error Patch
+ * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
+ */
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+ if (n == SSL_R_CALLBACK_FAILED) {
+ f = ERR_GET_FUNC(ERR_peek_error());
+ if (f == SSL_F_FINAL_SERVER_NAME) {
@ -25,6 +58,7 @@ index 75129134..4b4821bd 100644
+ return;
+ }
+ }
+#endif
+
/* handshake failures */
if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */