-
Notifications
You must be signed in to change notification settings - Fork 27
/
nginx_strict-sni.patch
210 lines (188 loc) · 8.47 KB
/
nginx_strict-sni.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 75129134..30c236b4 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -2547,6 +2547,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
char *text)
{
int n;
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+ int f;
+#endif
ngx_uint_t level;
level = NGX_LOG_CRIT;
@@ -2583,6 +2586,24 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
n = ERR_GET_REASON(ERR_peek_error());
+ /* Strict SNI Error Patch
+ * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
+ * https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427872934
+ */
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+ if (n == SSL_R_CALLBACK_FAILED) {
+ f = ERR_GET_FUNC(ERR_peek_error());
+ if (f == SSL_F_FINAL_SERVER_NAME) {
+ while (ERR_peek_error()) {
+ ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
+ "ignoring ssl error at STRICT SNI block");
+ }
+ ERR_clear_error();
+ return;
+ }
+ }
+#endif
+
/* handshake failures */
if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */
#ifdef SSL_R_NO_SUITABLE_KEY_SHARE
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index c57ec00c..be60d375 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -441,6 +441,20 @@ static ngx_command_t ngx_http_core_commands[] = {
offsetof(ngx_http_core_loc_conf_t, directio_alignment),
NULL },
+ { ngx_string("strict_sni"),
+ NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_core_loc_conf_t, strict_sni),
+ NULL },
+
+ { ngx_string("strict_sni_header"),
+ NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_core_loc_conf_t, strict_sni_header),
+ NULL },
+
{ ngx_string("tcp_nopush"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
@@ -3387,6 +3401,8 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf)
clcf->read_ahead = NGX_CONF_UNSET_SIZE;
clcf->directio = NGX_CONF_UNSET;
clcf->directio_alignment = NGX_CONF_UNSET;
+ clcf->strict_sni = NGX_CONF_UNSET;
+ clcf->strict_sni_header = NGX_CONF_UNSET;
clcf->tcp_nopush = NGX_CONF_UNSET;
clcf->tcp_nodelay = NGX_CONF_UNSET;
clcf->send_timeout = NGX_CONF_UNSET_MSEC;
@@ -3615,6 +3631,8 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
NGX_OPEN_FILE_DIRECTIO_OFF);
ngx_conf_merge_off_value(conf->directio_alignment, prev->directio_alignment,
512);
+ ngx_conf_merge_value(conf->strict_sni, prev->strict_sni, 0);
+ ngx_conf_merge_value(conf->strict_sni_header, prev->strict_sni_header, 0);
ngx_conf_merge_value(conf->tcp_nopush, prev->tcp_nopush, 0);
ngx_conf_merge_value(conf->tcp_nodelay, prev->tcp_nodelay, 1);
diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
index 4c6da7c0..04e14d09 100644
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@@ -382,6 +382,8 @@ struct ngx_http_core_loc_conf_s {
ngx_flag_t sendfile; /* sendfile */
ngx_flag_t aio; /* aio */
ngx_flag_t aio_write; /* aio_write */
+ ngx_flag_t strict_sni; /* strict_sni */
+ ngx_flag_t strict_sni_header; /* strict_sni_header */
ngx_flag_t tcp_nopush; /* tcp_nopush */
ngx_flag_t tcp_nodelay; /* tcp_nodelay */
ngx_flag_t reset_timedout_connection; /* reset_timedout_connection */
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 7dd28b8c..0e4fc6ae 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -846,14 +846,18 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
ngx_http_core_loc_conf_t *clcf;
ngx_http_core_srv_conf_t *cscf;
+ c = ngx_ssl_get_connection(ssl_conn);
+
+ hc = c->data;
+
+ clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);
+
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
- return SSL_TLSEXT_ERR_NOACK;
+ return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_NOACK;
}
- c = ngx_ssl_get_connection(ssl_conn);
-
if (c->ssl->handshaked) {
return SSL_TLSEXT_ERR_NOACK;
}
@@ -864,7 +868,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
host.len = ngx_strlen(servername);
if (host.len == 0) {
- return SSL_TLSEXT_ERR_NOACK;
+ return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_NOACK;
}
host.data = (u_char *) servername;
@@ -873,13 +877,11 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
return SSL_TLSEXT_ERR_NOACK;
}
- hc = c->data;
-
if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
NULL, &cscf)
!= NGX_OK)
{
- return SSL_TLSEXT_ERR_NOACK;
+ return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_NOACK;
}
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
@@ -891,8 +893,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
hc->conf_ctx = cscf->ctx;
- clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);
-
ngx_set_connection_log(c, clcf->error_log);
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
@@ -936,15 +936,18 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
static void
ngx_http_process_request_line(ngx_event_t *rev)
{
- ssize_t n;
- ngx_int_t rc, rv;
- ngx_str_t host;
- ngx_connection_t *c;
- ngx_http_request_t *r;
+ ssize_t n;
+ ngx_int_t rc, rv;
+ ngx_str_t host;
+ ngx_connection_t *c;
+ ngx_http_core_loc_conf_t *clcf;
+ ngx_http_request_t *r;
c = rev->data;
r = c->data;
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"http process request line");
@@ -1060,10 +1063,10 @@ ngx_http_process_request_line(ngx_event_t *rev)
ngx_http_client_errors[rc - NGX_HTTP_CLIENT_ERROR]);
if (rc == NGX_HTTP_PARSE_INVALID_VERSION) {
- ngx_http_finalize_request(r, NGX_HTTP_VERSION_NOT_SUPPORTED);
+ (r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_VERSION_NOT_SUPPORTED);
} else {
- ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+ (r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
}
break;
@@ -1808,6 +1811,9 @@ ngx_http_process_multi_header_lines(ngx_http_request_t *r, ngx_table_elt_t *h,
ngx_int_t
ngx_http_process_request_header(ngx_http_request_t *r)
{
+ ngx_http_core_loc_conf_t *clcf;
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
if (r->headers_in.server.len == 0
&& ngx_http_set_virtual_server(r, &r->headers_in.server)
== NGX_ERROR)
@@ -1818,7 +1824,7 @@ ngx_http_process_request_header(ngx_http_request_t *r)
if (r->headers_in.host == NULL && r->http_version > NGX_HTTP_VERSION_10) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent HTTP/1.1 request without \"Host\" header");
- ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+ (r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
return NGX_ERROR;
}