SSL: moved c->ssl->handshaked check in server name callback.

Server name callback is always called by OpenSSL, even if server_name extension is not present in ClientHello. As such, checking c->ssl->handshaked before the SSL_get_servername() result should help to more effectively prevent renegotiation in OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS nor SSL_OP_NO_RENEGOTIATION is available.
author: Maxim Dounin <mdounin@mdounin.ru> 2019-03-05 16:34:19 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2019-03-05 16:34:19 +0300
commit: 0ad4393e30c119d250415cb769e3d8bc8dce5186 (patch)
tree: aeb76719875f586c250d1d44e2fed066a99e988a
parent: 0808b04c4690354aab43e0cdfe49588abb942e8c (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index d87e872bf..80c19656f 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -864,12 +864,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     ngx_http_core_loc_conf_t  *clcf;
     ngx_http_core_srv_conf_t  *cscf;
 
-    servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
-
-    if (servername == NULL) {
-        return SSL_TLSEXT_ERR_OK;
-    }
-
     c = ngx_ssl_get_connection(ssl_conn);
 
     if (c->ssl->handshaked) {
@@ -877,6 +871,12 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
         return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
+    servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
+
+    if (servername == NULL) {
+        return SSL_TLSEXT_ERR_OK;
+    }
+
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
                    "SSL server name: \"%s\"", servername);
author	Maxim Dounin <mdounin@mdounin.ru>	2019-03-05 16:34:19 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2019-03-05 16:34:19 +0300
commit	0ad4393e30c119d250415cb769e3d8bc8dce5186 (patch)
tree	aeb76719875f586c250d1d44e2fed066a99e988a
parent	0808b04c4690354aab43e0cdfe49588abb942e8c (diff)