Update nginx > 1.15.4 strict sni patch.
It only happens under certain circumstances.
ssl_early_data on;
There should be no SNI data. ex) http: // IP
Connection of TLS 1.3 Supported Browsers
Error example)
/var/log/nginx/error.log
2018/10/06 22:46:21 [crit] 81400#81400: *11 SSL_read_early_data() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 0.0.0.0, server: 0.0.0.0:443
Patch : e3932ebe24 (commitcomment-30796507)
This patch is available for nginx 1.15.4 and later.
openssl-1.1.1
parent
88e8d70a10
commit
9ec0d25a8b
|
@ -0,0 +1,52 @@
|
|||
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
|
||||
index 75129134..fd4d3bb1 100644
|
||||
--- a/src/event/ngx_event_openssl.c
|
||||
+++ b/src/event/ngx_event_openssl.c
|
||||
@@ -1455,6 +1455,12 @@ ngx_ssl_handshake(ngx_connection_t *c)
|
||||
|
||||
c->read->error = 1;
|
||||
|
||||
+ if (sslerr == SSL_ERROR_SSL) {
|
||||
+ ERR_peek_error();
|
||||
+ ERR_clear_error();
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
|
||||
|
||||
return NGX_ERROR;
|
||||
@@ -1568,6 +1574,12 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
|
||||
|
||||
c->read->error = 1;
|
||||
|
||||
+ if (sslerr == SSL_ERROR_SSL) {
|
||||
+ ERR_peek_error();
|
||||
+ ERR_clear_error();
|
||||
+ return NGX_ERROR;
|
||||
+ }
|
||||
+
|
||||
ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");
|
||||
|
||||
return NGX_ERROR;
|
||||
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
|
||||
index 7dd28b8c..aacc600a 100644
|
||||
--- a/src/http/ngx_http_request.c
|
||||
+++ b/src/http/ngx_http_request.c
|
||||
@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
||||
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
|
||||
|
||||
if (servername == NULL) {
|
||||
- return SSL_TLSEXT_ERR_NOACK;
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
||||
host.len = ngx_strlen(servername);
|
||||
|
||||
if (host.len == 0) {
|
||||
- return SSL_TLSEXT_ERR_NOACK;
|
||||
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
host.data = (u_char *) servername;
|
Loading…
Reference in New Issue