You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

nginx_strict-sni_1.15.10.patch 8.6KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
  2. index bee264c9..f4b7deec 100644
  3. --- a/src/event/ngx_event_openssl.c
  4. +++ b/src/event/ngx_event_openssl.c
  5. @@ -2818,6 +2818,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
  6. char *text)
  7. {
  8. int n;
  9. +#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
  10. + int f;
  11. +#endif
  12. ngx_uint_t level;
  13. level = NGX_LOG_CRIT;
  14. @@ -2854,6 +2857,24 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
  15. n = ERR_GET_REASON(ERR_peek_error());
  16. + /* Strict SNI Error Patch
  17. + * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
  18. + * https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427872934
  19. + */
  20. +#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
  21. + if (n == SSL_R_CALLBACK_FAILED) {
  22. + f = ERR_GET_FUNC(ERR_peek_error());
  23. + if (f == SSL_F_FINAL_SERVER_NAME) {
  24. + while (ERR_peek_error()) {
  25. + ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
  26. + "ignoring ssl error at STRICT SNI block");
  27. + }
  28. + ERR_clear_error();
  29. + return;
  30. + }
  31. + }
  32. +#endif
  33. +
  34. /* handshake failures */
  35. if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */
  36. #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
  37. diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
  38. index 5e7152f0..45b271f5 100644
  39. --- a/src/http/ngx_http_core_module.c
  40. +++ b/src/http/ngx_http_core_module.c
  41. @@ -441,6 +441,20 @@ static ngx_command_t ngx_http_core_commands[] = {
  42. offsetof(ngx_http_core_loc_conf_t, directio_alignment),
  43. NULL },
  44. + { ngx_string("strict_sni"),
  45. + NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
  46. + ngx_conf_set_flag_slot,
  47. + NGX_HTTP_LOC_CONF_OFFSET,
  48. + offsetof(ngx_http_core_loc_conf_t, strict_sni),
  49. + NULL },
  50. +
  51. + { ngx_string("strict_sni_header"),
  52. + NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
  53. + ngx_conf_set_flag_slot,
  54. + NGX_HTTP_LOC_CONF_OFFSET,
  55. + offsetof(ngx_http_core_loc_conf_t, strict_sni_header),
  56. + NULL },
  57. +
  58. { ngx_string("tcp_nopush"),
  59. NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
  60. ngx_conf_set_flag_slot,
  61. @@ -3395,6 +3409,8 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf)
  62. clcf->read_ahead = NGX_CONF_UNSET_SIZE;
  63. clcf->directio = NGX_CONF_UNSET;
  64. clcf->directio_alignment = NGX_CONF_UNSET;
  65. + clcf->strict_sni = NGX_CONF_UNSET;
  66. + clcf->strict_sni_header = NGX_CONF_UNSET;
  67. clcf->tcp_nopush = NGX_CONF_UNSET;
  68. clcf->tcp_nodelay = NGX_CONF_UNSET;
  69. clcf->send_timeout = NGX_CONF_UNSET_MSEC;
  70. @@ -3623,6 +3639,8 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
  71. NGX_OPEN_FILE_DIRECTIO_OFF);
  72. ngx_conf_merge_off_value(conf->directio_alignment, prev->directio_alignment,
  73. 512);
  74. + ngx_conf_merge_value(conf->strict_sni, prev->strict_sni, 0);
  75. + ngx_conf_merge_value(conf->strict_sni_header, prev->strict_sni_header, 0);
  76. ngx_conf_merge_value(conf->tcp_nopush, prev->tcp_nopush, 0);
  77. ngx_conf_merge_value(conf->tcp_nodelay, prev->tcp_nodelay, 1);
  78. diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
  79. index 4c6da7c0..04e14d09 100644
  80. --- a/src/http/ngx_http_core_module.h
  81. +++ b/src/http/ngx_http_core_module.h
  82. @@ -382,6 +382,8 @@ struct ngx_http_core_loc_conf_s {
  83. ngx_flag_t sendfile; /* sendfile */
  84. ngx_flag_t aio; /* aio */
  85. ngx_flag_t aio_write; /* aio_write */
  86. + ngx_flag_t strict_sni; /* strict_sni */
  87. + ngx_flag_t strict_sni_header; /* strict_sni_header */
  88. ngx_flag_t tcp_nopush; /* tcp_nopush */
  89. ngx_flag_t tcp_nodelay; /* tcp_nodelay */
  90. ngx_flag_t reset_timedout_connection; /* reset_timedout_connection */
  91. diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
  92. index 80c19656..26b7de81 100644
  93. --- a/src/http/ngx_http_request.c
  94. +++ b/src/http/ngx_http_request.c
  95. @@ -866,6 +866,10 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
  96. c = ngx_ssl_get_connection(ssl_conn);
  97. + hc = c->data;
  98. +
  99. + clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);
  100. +
  101. if (c->ssl->handshaked) {
  102. *ad = SSL_AD_NO_RENEGOTIATION;
  103. return SSL_TLSEXT_ERR_ALERT_FATAL;
  104. @@ -874,7 +878,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
  105. servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
  106. if (servername == NULL) {
  107. - return SSL_TLSEXT_ERR_OK;
  108. + return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK;
  109. }
  110. ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
  111. @@ -883,7 +887,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
  112. host.len = ngx_strlen(servername);
  113. if (host.len == 0) {
  114. - return SSL_TLSEXT_ERR_OK;
  115. + return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK;
  116. }
  117. host.data = (u_char *) servername;
  118. @@ -899,8 +903,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
  119. return SSL_TLSEXT_ERR_OK;
  120. }
  121. - hc = c->data;
  122. -
  123. rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
  124. NULL, &cscf);
  125. @@ -910,7 +912,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
  126. }
  127. if (rc == NGX_DECLINED) {
  128. - return SSL_TLSEXT_ERR_OK;
  129. + return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK;
  130. }
  131. hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
  132. @@ -923,8 +925,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
  133. hc->conf_ctx = cscf->ctx;
  134. - clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);
  135. -
  136. ngx_set_connection_log(c, clcf->error_log);
  137. sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
  138. @@ -1037,15 +1037,18 @@ failed:
  139. static void
  140. ngx_http_process_request_line(ngx_event_t *rev)
  141. {
  142. - ssize_t n;
  143. - ngx_int_t rc, rv;
  144. - ngx_str_t host;
  145. - ngx_connection_t *c;
  146. - ngx_http_request_t *r;
  147. + ssize_t n;
  148. + ngx_int_t rc, rv;
  149. + ngx_str_t host;
  150. + ngx_connection_t *c;
  151. + ngx_http_core_loc_conf_t *clcf;
  152. + ngx_http_request_t *r;
  153. c = rev->data;
  154. r = c->data;
  155. + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
  156. +
  157. ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0,
  158. "http process request line");
  159. @@ -1161,10 +1164,10 @@ ngx_http_process_request_line(ngx_event_t *rev)
  160. ngx_http_client_errors[rc - NGX_HTTP_CLIENT_ERROR]);
  161. if (rc == NGX_HTTP_PARSE_INVALID_VERSION) {
  162. - ngx_http_finalize_request(r, NGX_HTTP_VERSION_NOT_SUPPORTED);
  163. + (r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_VERSION_NOT_SUPPORTED);
  164. } else {
  165. - ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
  166. + (r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
  167. }
  168. break;
  169. @@ -1909,6 +1912,9 @@ ngx_http_process_multi_header_lines(ngx_http_request_t *r, ngx_table_elt_t *h,
  170. ngx_int_t
  171. ngx_http_process_request_header(ngx_http_request_t *r)
  172. {
  173. + ngx_http_core_loc_conf_t *clcf;
  174. + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
  175. +
  176. if (r->headers_in.server.len == 0
  177. && ngx_http_set_virtual_server(r, &r->headers_in.server)
  178. == NGX_ERROR)
  179. @@ -1919,7 +1925,7 @@ ngx_http_process_request_header(ngx_http_request_t *r)
  180. if (r->headers_in.host == NULL && r->http_version > NGX_HTTP_VERSION_10) {
  181. ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
  182. "client sent HTTP/1.1 request without \"Host\" header");
  183. - ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
  184. + (r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
  185. return NGX_ERROR;
  186. }