From f965e358b6ca878ead629dffb2f0df57230995ea Mon Sep 17 00:00:00 2001 From: Andrey Suvorov Date: Thu, 22 Jul 2021 11:23:48 -0700 Subject: [PATCH] Changing SNI callback return code if a client sends no SNI. When a client sends no SNI is a common situation. But currently the server processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing termination of a current TLS session. The problem occurs if configuration has more than one certificate bundle in a listener. This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a message. --- docs/changes.xml | 8 ++++++++ src/nxt_openssl.c | 10 +++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/docs/changes.xml b/docs/changes.xml index 2aa9bb65..634bf9cd 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -43,6 +43,14 @@ process and thread lifecycle hooks in Ruby. + + +TLS connection was rejected for configuration with more than one +certificate bundle in a listener if a client did not use SNI. + + + + the router process could crash on TLS connection open when multiple listeners diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c index 3b5d4fda..297e11cf 100644 --- a/src/nxt_openssl.c +++ b/src/nxt_openssl.c @@ -804,15 +804,15 @@ nxt_openssl_servername(SSL *s, int *ad, void *arg) } servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); - if (nxt_slow_path(servername == NULL)) { - nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned " - "NULL in server name callback"); - return SSL_TLSEXT_ERR_ALERT_FATAL; + + if (servername == NULL) { + nxt_debug(c->socket.task, "SSL_get_servername(): NULL"); + goto done; } str.length = nxt_strlen(servername); if (str.length == 0) { - nxt_debug(c->socket.task, "client sent zero-length server name"); + nxt_debug(c->socket.task, "SSL_get_servername(): \"\" is empty"); goto done; }