From f44a0db6d5fce89c6c22e6c809b0320f111140ea Mon Sep 17 00:00:00 2001 From: Hakase Date: Sun, 7 Oct 2018 19:43:09 +0900 Subject: [PATCH] Update nginx strict sni patch. --- README.md | 1 - nginx_1.15.4_strict-sni.patch | 61 ---------------------------- nginx_strict-sni.patch | 75 +++++++++++++---------------------- 3 files changed, 28 insertions(+), 109 deletions(-) delete mode 100644 nginx_1.15.4_strict-sni.patch diff --git a/README.md b/README.md index 783dee5..783c890 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,6 @@ Example of setting TLS 1.3 cipher in nginx: | remove_nginx_server_header.patch | Remove nginx server header. (http2, http1.1) | | nginx_hpack_remove_server_header_1.15.3.patch | HPACK + Remove nginx server header. (http2, http1.1) | | nginx_strict-sni.patch | Enable **Strict-SNI**. Thanks [@JemmyLoveJenny](https://github.com/JemmyLoveJenny). [View issue](https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-421551872) | -| nginx_1.15.4_strict-sni.patch | Same nginx_strict-sni.patch. Removes the SSL_read_early_data error. [View issue](https://github.com/hakasenyang/nginx-build/commit/e3932ebe24b3fc723d6cb041c52ae63876154df9#commitcomment-30796507) | | nginx_openssl-1.1.x_renegotiation_bugfix.patch | Bugfix **Secure Client-Initiated Renegotiation**. (Check testssl.sh) OpenSSL >= 1.1.x, nginx = 1.15.4
[Patched nginx 1.15.5](https://github.com/nginx/nginx/commit/53803b4780be15d8014be183d4161091fd5f3376) | ## How To Use? diff --git a/nginx_1.15.4_strict-sni.patch b/nginx_1.15.4_strict-sni.patch deleted file mode 100644 index f11259d..0000000 --- a/nginx_1.15.4_strict-sni.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index 75129134..fd4d3bb1 100644 ---- a/src/event/ngx_event_openssl.c -+++ b/src/event/ngx_event_openssl.c -@@ -1455,6 +1455,12 @@ ngx_ssl_handshake(ngx_connection_t *c) - - c->read->error = 1; - -+ if (sslerr == SSL_ERROR_SSL) { -+ ERR_peek_error(); -+ ERR_clear_error(); -+ return NGX_ERROR; -+ } -+ - ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); - - return NGX_ERROR; -@@ -1568,6 +1574,12 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - - c->read->error = 1; - -+ if (sslerr == SSL_ERROR_SSL) { -+ ERR_peek_error(); -+ ERR_clear_error(); -+ return NGX_ERROR; -+ } -+ - ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed"); - - return NGX_ERROR; -diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c -index 7dd28b8c..5e5bbed1 100644 ---- a/src/http/ngx_http_request.c -+++ b/src/http/ngx_http_request.c -@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) - servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); - - if (servername == NULL) { -- return SSL_TLSEXT_ERR_NOACK; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; - } - - c = ngx_ssl_get_connection(ssl_conn); -@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) - host.len = ngx_strlen(servername); - - if (host.len == 0) { -- return SSL_TLSEXT_ERR_NOACK; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; - } - - host.data = (u_char *) servername; -@@ -879,7 +879,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) - NULL, &cscf) - != NGX_OK) - { -- return SSL_TLSEXT_ERR_NOACK; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; - } - - hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); diff --git a/nginx_strict-sni.patch b/nginx_strict-sni.patch index a0a6ba1..8bc4e1b 100644 --- a/nginx_strict-sni.patch +++ b/nginx_strict-sni.patch @@ -1,49 +1,30 @@ -diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c ---- a/src/http/ngx_http_request.c 2018-09-15 10:02:36.520076032 +0000 -+++ b/src/http/ngx_http_request.c 2018-09-15 10:26:32.826874950 +0000 -@@ -882,7 +882,7 @@ - servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); - - if (servername == NULL) { -- return SSL_TLSEXT_ERR_NOACK; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; - } - - c = ngx_ssl_get_connection(ssl_conn); -@@ -897,7 +897,7 @@ - host.len = ngx_strlen(servername); - - if (host.len == 0) { -- return SSL_TLSEXT_ERR_NOACK; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; - } - - - host.data = (u_char *) servername; -@@ -912,7 +912,7 @@ - NULL, &cscf) - != NGX_OK) - { -- return SSL_TLSEXT_ERR_NOACK; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; - } - - hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); - diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c ---- a/src/event/ngx_event_openssl.c 2018-10-02 15:13:36.414143028 +0000 -+++ b/src/event/ngx_event_openssl.c 2018-10-04 13:58:28.756873433 +0000 -@@ -1456,6 +1456,13 @@ ngx_ssl_handshake(ngx_connection_t *c) - - c->read->error = 1; - +index 75129134..d0b926fe 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -2547,6 +2547,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, + char *text) + { + int n; ++ int f; + ngx_uint_t level; + + level = NGX_LOG_CRIT; +@@ -2582,6 +2583,17 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, + } else if (sslerr == SSL_ERROR_SSL) { + + n = ERR_GET_REASON(ERR_peek_error()); ++ f = ERR_GET_FUNC(ERR_peek_error()); + -+ if (sslerr == SSL_ERROR_SSL) { -+ ERR_peek_error(); -+ ERR_clear_error(); -+ return NGX_ERROR; -+ } -+ - ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); - - return NGX_ERROR; ++ /* Strict SNI Error Patch ++ * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319 ++ */ ++ if (n == SSL_R_CALLBACK_FAILED ++ && f == SSL_F_FINAL_SERVER_NAME) { ++ ERR_peek_error(); ++ ERR_clear_error(); ++ return; ++ } + + /* handshake failures */ + if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */