Skip to content

Commit

Permalink
Revert "Add Strict-SNI"
Browse files Browse the repository at this point in the history 
This reverts commit bbf9fa9, as upstream
are providing similar functionality with the upcoming
ssl_handshake_rejected directive.

Signed-off-by: Diab Neiroukh <lazerl0rd@thezest.dev>
  • Loading branch information
@lzlrd
lzlrd committed Nov 4, 2020
1 parent 64df4fe commit 4a15721
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 62 deletions.
21 changes: 0 additions & 21 deletions src/event/ngx_event_openssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2973,9 +2973,6 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
char *text)
{
int n;
#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
int f;
#endif
ngx_uint_t level;

level = NGX_LOG_CRIT;
Expand Down Expand Up @@ -3015,24 +3012,6 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,

n = ERR_GET_REASON(ERR_peek_error());

/* Strict SNI Error Patch
* https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
* https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427872934
*/
#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
if (n == SSL_R_CALLBACK_FAILED) {
f = ERR_GET_FUNC(ERR_peek_error());
if (f == SSL_F_FINAL_SERVER_NAME) {
while (ERR_peek_error()) {
ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0,
"ignoring ssl error at STRICT SNI block");
}
ERR_clear_error();
return;
}
}
#endif

/* handshake failures */
if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */
#ifdef SSL_R_NO_SUITABLE_KEY_SHARE
Expand Down
18 changes: 0 additions & 18 deletions src/http/ngx_http_core_module.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -444,20 +444,6 @@ static ngx_command_t ngx_http_core_commands[] = {
offsetof(ngx_http_core_loc_conf_t, directio_alignment),
NULL },

{ ngx_string("strict_sni"),
NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_core_loc_conf_t, strict_sni),
NULL },

{ ngx_string("strict_sni_header"),
NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_core_loc_conf_t, strict_sni_header),
NULL },

{ ngx_string("tcp_nopush"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
Expand Down Expand Up @@ -3504,8 +3490,6 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf)
clcf->read_ahead = NGX_CONF_UNSET_SIZE;
clcf->directio = NGX_CONF_UNSET;
clcf->directio_alignment = NGX_CONF_UNSET;
clcf->strict_sni = NGX_CONF_UNSET;
clcf->strict_sni_header = NGX_CONF_UNSET;
clcf->tcp_nopush = NGX_CONF_UNSET;
clcf->tcp_nodelay = NGX_CONF_UNSET;
clcf->send_timeout = NGX_CONF_UNSET_MSEC;
Expand Down Expand Up @@ -3733,8 +3717,6 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
NGX_OPEN_FILE_DIRECTIO_OFF);
ngx_conf_merge_off_value(conf->directio_alignment, prev->directio_alignment,
512);
ngx_conf_merge_value(conf->strict_sni, prev->strict_sni, 0);
ngx_conf_merge_value(conf->strict_sni_header, prev->strict_sni_header, 0);
ngx_conf_merge_value(conf->tcp_nopush, prev->tcp_nopush, 0);
ngx_conf_merge_value(conf->tcp_nodelay, prev->tcp_nodelay, 1);

Expand Down
2 changes: 0 additions & 2 deletions src/http/ngx_http_core_module.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -386,8 +386,6 @@ struct ngx_http_core_loc_conf_s {
ngx_flag_t sendfile; /* sendfile */
ngx_flag_t aio; /* aio */
ngx_flag_t aio_write; /* aio_write */
ngx_flag_t strict_sni; /* strict_sni */
ngx_flag_t strict_sni_header; /* strict_sni_header */
ngx_flag_t tcp_nopush; /* tcp_nopush */
ngx_flag_t tcp_nodelay; /* tcp_nodelay */
ngx_flag_t reset_timedout_connection; /* reset_timedout_connection */
Expand Down
35 changes: 14 additions & 21 deletions src/http/ngx_http_request.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -901,10 +901,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)

c = ngx_ssl_get_connection(ssl_conn);

hc = c->data;

clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);

if (c->ssl->handshaked) {
*ad = SSL_AD_NO_RENEGOTIATION;
return SSL_TLSEXT_ERR_ALERT_FATAL;
Expand All @@ -913,7 +909,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);

if (servername == NULL) {
return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK;
return SSL_TLSEXT_ERR_OK;
}

ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
Expand All @@ -922,7 +918,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
host.len = ngx_strlen(servername);

if (host.len == 0) {
return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK;
return SSL_TLSEXT_ERR_OK;
}

host.data = (u_char *) servername;
Expand All @@ -938,6 +934,8 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
return SSL_TLSEXT_ERR_OK;
}

hc = c->data;

rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
NULL, &cscf);

Expand All @@ -947,7 +945,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
}

if (rc == NGX_DECLINED) {
return (clcf->strict_sni) ? SSL_TLSEXT_ERR_ALERT_FATAL : SSL_TLSEXT_ERR_OK;
return SSL_TLSEXT_ERR_OK;
}

hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
Expand All @@ -960,6 +958,8 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)

hc->conf_ctx = cscf->ctx;

clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);

ngx_set_connection_log(c, clcf->error_log);

sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
Expand Down Expand Up @@ -1137,18 +1137,15 @@ ngx_http_quic_handshake(ngx_event_t *rev)
static void
ngx_http_process_request_line(ngx_event_t *rev)
{
ssize_t n;
ngx_int_t rc, rv;
ngx_str_t host;
ngx_connection_t *c;
ngx_http_core_loc_conf_t *clcf;
ngx_http_request_t *r;
ssize_t n;
ngx_int_t rc, rv;
ngx_str_t host;
ngx_connection_t *c;
ngx_http_request_t *r;

c = rev->data;
r = c->data;

clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"http process request line");

Expand Down Expand Up @@ -1264,10 +1261,10 @@ ngx_http_process_request_line(ngx_event_t *rev)
ngx_http_client_errors[rc - NGX_HTTP_CLIENT_ERROR]);

if (rc == NGX_HTTP_PARSE_INVALID_VERSION) {
(r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_VERSION_NOT_SUPPORTED);
ngx_http_finalize_request(r, NGX_HTTP_VERSION_NOT_SUPPORTED);

} else {
(r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
}

break;
Expand Down Expand Up @@ -2026,9 +2023,6 @@ ngx_http_process_multi_header_lines(ngx_http_request_t *r, ngx_table_elt_t *h,
ngx_int_t
ngx_http_process_request_header(ngx_http_request_t *r)
{
ngx_http_core_loc_conf_t *clcf;
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

if (r->headers_in.server.len == 0
&& ngx_http_set_virtual_server(r, &r->headers_in.server)
== NGX_ERROR)
Expand All @@ -2040,7 +2034,6 @@ ngx_http_process_request_header(ngx_http_request_t *r)
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent HTTP/1.1 request without \"Host\" header");
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
(r->http_connection->ssl && clcf->strict_sni && clcf->strict_sni_header) ? ngx_http_terminate_request(r, 0) : ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
return NGX_ERROR;
}

Expand Down

0 comments on commit 4a15721

Please sign in to comment.