Changing SNI callback return code if a client sends no SNI.

When a client sends no SNI is a common situation. But currently the server processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing termination of a current TLS session. The problem occurs if configuration has more than one certificate bundle in a listener. This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a message.
2021-07-22 11:23:48 -07:00
parent c37ff7ed0e
commit f965e358b6
2 changed files with 13 additions and 5 deletions
--- a/docs/changes.xml
+++ b/docs/changes.xml
@@ -43,6 +43,14 @@ process and thread lifecycle hooks in Ruby.
 </para>
 </change>

+<change type="bugfix">
+<para>
+TLS connection was rejected for configuration with more than one
+certificate bundle in a listener if a client did not use SNI.
+</para>
+</change>
+
+
 <change type="bugfix">
 <para>
 the router process could crash on TLS connection open when multiple listeners
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -804,15 +804,15 @@ nxt_openssl_servername(SSL *s, int *ad, void *arg)
    }

    servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
-    if (nxt_slow_path(servername == NULL)) {
-        nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned "
-                                               "NULL in server name callback");
-        return SSL_TLSEXT_ERR_ALERT_FATAL;
+
+    if (servername == NULL) {
+        nxt_debug(c->socket.task, "SSL_get_servername(): NULL");
+        goto done;
    }

    str.length = nxt_strlen(servername);
    if (str.length == 0) {
-        nxt_debug(c->socket.task, "client sent zero-length server name");
+        nxt_debug(c->socket.task, "SSL_get_servername(): \"\" is empty");
        goto done;
    }