From 9ec0d25a8b796571b962d8d0ff597786746ed08a Mon Sep 17 00:00:00 2001
From: Hakase <hakase@hakase.app>
Date: Sat, 6 Oct 2018 23:01:11 +0900
Subject: [PATCH] Update nginx > 1.15.4 strict sni patch.

It only happens under certain circumstances.

    ssl_early_data on;
    There should be no SNI data. ex) http: // IP
    Connection of TLS 1.3 Supported Browsers

Error example)
/var/log/nginx/error.log
2018/10/06 22:46:21 [crit] 81400#81400: *11 SSL_read_early_data() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 0.0.0.0, server: 0.0.0.0:443

Patch : https://github.com/hakasenyang/nginx-build/commit/e3932ebe24b3fc723d6cb041c52ae63876154df9#commitcomment-30796507

This patch is available for nginx 1.15.4 and later.
---
 nginx_1.15.4_strict-sni.patch | 52 +++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 nginx_1.15.4_strict-sni.patch

diff --git a/nginx_1.15.4_strict-sni.patch b/nginx_1.15.4_strict-sni.patch
new file mode 100644
index 0000000..392f5f4
--- /dev/null
+++ b/nginx_1.15.4_strict-sni.patch
@@ -0,0 +1,52 @@
+diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
+index 75129134..fd4d3bb1 100644
+--- a/src/event/ngx_event_openssl.c
++++ b/src/event/ngx_event_openssl.c
+@@ -1455,6 +1455,12 @@ ngx_ssl_handshake(ngx_connection_t *c)
+ 
+     c->read->error = 1;
+ 
++    if (sslerr == SSL_ERROR_SSL) {
++        ERR_peek_error();
++        ERR_clear_error();
++        return NGX_ERROR;
++    }
++
+     ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
+ 
+     return NGX_ERROR;
+@@ -1568,6 +1574,12 @@ ngx_ssl_try_early_data(ngx_connection_t *c)
+ 
+     c->read->error = 1;
+ 
++    if (sslerr == SSL_ERROR_SSL) {
++        ERR_peek_error();
++        ERR_clear_error();
++        return NGX_ERROR;
++    }
++
+     ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");
+ 
+     return NGX_ERROR;
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index 7dd28b8c..aacc600a 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
+ 
+     if (servername == NULL) {
+-        return SSL_TLSEXT_ERR_NOACK;
++        return SSL_TLSEXT_ERR_ALERT_FATAL;
+     }
+ 
+     c = ngx_ssl_get_connection(ssl_conn);
+@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
+     host.len = ngx_strlen(servername);
+ 
+     if (host.len == 0) {
+-        return SSL_TLSEXT_ERR_NOACK;
++        return SSL_TLSEXT_ERR_ALERT_FATAL;
+     }
+ 
+     host.data = (u_char *) servername;