From 1085f680183848a7311df330f043eeb0e41f5570 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 27 Apr 2017 22:25:58 +0900 Subject: [PATCH] nghttpx: Return SSL_TLSEXT_ERR_NOACK if server name is not recognized With this commit, SSL_TLSEXT_ERR_NOACK is returned from servername_callback, which removes server_name extension from ServerHello. CertLookupTree is now used even if the number of server certificate is one. It is better to exercise it regularly. --- src/shrpx_tls.cc | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc index 677b12cd..7d70b167 100644 --- a/src/shrpx_tls.cc +++ b/src/shrpx_tls.cc @@ -153,13 +153,13 @@ int servername_callback(SSL *ssl, int *al, void *arg) { auto rawhost = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); if (rawhost == nullptr) { - return SSL_TLSEXT_ERR_OK; + return SSL_TLSEXT_ERR_NOACK; } auto len = strlen(rawhost); // NI_MAXHOST includes terminal NULL. if (len == 0 || len + 1 > NI_MAXHOST) { - return SSL_TLSEXT_ERR_OK; + return SSL_TLSEXT_ERR_NOACK; } std::array buf; @@ -170,18 +170,15 @@ int servername_callback(SSL *ssl, int *al, void *arg) { auto hostname = StringRef{std::begin(buf), end_buf}; - handler->set_tls_sni(hostname); - auto cert_tree = worker->get_cert_lookup_tree(); - if (!cert_tree) { - return SSL_TLSEXT_ERR_OK; - } auto idx = cert_tree->lookup(hostname); if (idx == -1) { - return SSL_TLSEXT_ERR_OK; + return SSL_TLSEXT_ERR_NOACK; } + handler->set_tls_sni(hostname); + auto conn_handler = worker->get_connection_handler(); const auto &ssl_ctx_list = conn_handler->get_indexed_ssl_ctx(idx); @@ -1675,15 +1672,7 @@ setup_server_ssl_context(std::vector &all_ssl_ctx, all_ssl_ctx.push_back(ssl_ctx); - if (tlsconf.subcerts.empty()) { - return ssl_ctx; - } - - if (!cert_tree) { - LOG(WARN) << "We have multiple additional certificates (--subcert), but " - "cert_tree is not given. SNI may not work."; - return ssl_ctx; - } + assert(cert_tree); if (cert_lookup_tree_add_ssl_ctx(cert_tree, indexed_ssl_ctx, ssl_ctx) == -1) { LOG(FATAL) << "Failed to add default certificate."; @@ -1742,7 +1731,7 @@ void setup_downstream_http1_alpn(SSL *ssl) { std::unique_ptr create_cert_lookup_tree() { auto config = get_config(); - if (!upstream_tls_enabled(config->conn) || config->tls.subcerts.empty()) { + if (!upstream_tls_enabled(config->conn)) { return nullptr; } return make_unique();