Update nginx > 1.15.4 strict sni patch.

It only happens under certain circumstances.

    ssl_early_data on;
    There should be no SNI data. ex) http: // IP
    Connection of TLS 1.3 Supported Browsers

Error example)
/var/log/nginx/error.log
2018/10/06 22:46:21 [crit] 81400#81400: *11 SSL_read_early_data() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 0.0.0.0, server: 0.0.0.0:443

Patch : e3932ebe24 (commitcomment-30796507)

This patch is available for nginx 1.15.4 and later.
openssl-1.1.1
Hakase 2018-10-06 23:01:11 +09:00
parent 88e8d70a10
commit 9ec0d25a8b
No known key found for this signature in database
GPG Key ID: BB2821A9E0DF48C9
1 changed files with 52 additions and 0 deletions

View File

@ -0,0 +1,52 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 75129134..fd4d3bb1 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1455,6 +1455,12 @@ ngx_ssl_handshake(ngx_connection_t *c)
c->read->error = 1;
+ if (sslerr == SSL_ERROR_SSL) {
+ ERR_peek_error();
+ ERR_clear_error();
+ return NGX_ERROR;
+ }
+
ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
return NGX_ERROR;
@@ -1568,6 +1574,12 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
c->read->error = 1;
+ if (sslerr == SSL_ERROR_SSL) {
+ ERR_peek_error();
+ ERR_clear_error();
+ return NGX_ERROR;
+ }
+
ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");
return NGX_ERROR;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 7dd28b8c..aacc600a 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
}
c = ngx_ssl_get_connection(ssl_conn);
@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
host.len = ngx_strlen(servername);
if (host.len == 0) {
- return SSL_TLSEXT_ERR_NOACK;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
}
host.data = (u_char *) servername;