46 lines
1.5 KiB
Diff
46 lines
1.5 KiB
Diff
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
|
|
index 684fabd..404aa77 100644
|
|
--- a/src/http/ngx_http_request.c
|
|
+++ b/src/http/ngx_http_request.c
|
|
@@ -921,6 +921,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|
goto done;
|
|
}
|
|
|
|
+ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
|
|
+
|
|
+#if (defined TLS1_3_VERSION \
|
|
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
|
|
+
|
|
+ /*
|
|
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
|
|
+ * but servername being negotiated in every TLSv1.3 handshake
|
|
+ * is only returned in OpenSSL 1.1.1+ as well
|
|
+ */
|
|
+
|
|
+ if (sscf->verify) {
|
|
+ const char *hostname;
|
|
+
|
|
+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
|
|
+
|
|
+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
|
|
+ c->ssl->handshake_rejected = 1;
|
|
+ *ad = SSL_AD_ACCESS_DENIED;
|
|
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
+ }
|
|
+ }
|
|
+
|
|
+#endif
|
|
+
|
|
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
|
|
if (hc->ssl_servername == NULL) {
|
|
goto error;
|
|
@@ -934,8 +959,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|
|
|
ngx_set_connection_log(c, clcf->error_log);
|
|
|
|
- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
|
|
-
|
|
c->ssl->buffer_size = sscf->buffer_size;
|
|
|
|
if (sscf->ssl.ctx) {
|