[PATCH 2 of 3] SSL: reworked restriction on hosts other than negotiated
Maxim Dounin
mdounin at mdounin.ru
Sun Mar 9 00:27:41 UTC 2025
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1741455881 -10800
# Sat Mar 08 20:44:41 2025 +0300
# Node ID 4dc9fb4dd95248df980aefbf946b4f299dcae00f
# Parent 48cff1a93a0e8ed50699e9201a805d5e14aab84d
SSL: reworked restriction on hosts other than negotiated.
Following 5095:4fbef397c753, attempts to request hosts other than negotiated
are rejected with 421 (Misdirected Request) HTTP error as long as certificate
verification is enabled in the requested server block.
With this change, such requests are now rejected in ngx_http_process_request(),
along with other certificate verification checks.
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -5068,6 +5068,47 @@ ngx_ssl_check_name(ngx_str_t *name, ASN1
ngx_int_t
+ngx_ssl_check_verify_context(ngx_connection_t *c, ngx_ssl_t *ssl)
+{
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+
+ SSL_CTX *ctx;
+ const char *name;
+
+ /*
+ * Check current SSL context to match the one where the certificate
+ * verification happened.
+ *
+ * If certificate verification was in the default server block without
+ * a server name, all contexts are allowed, as non-SNI clients are
+ * allowed to request other virtual servers.
+ *
+ * If there is no context in the current server block, verification
+ * is expected to happen in the default server.
+ */
+
+ ctx = SSL_get_SSL_CTX(c->ssl->connection);
+ name = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
+
+ if (ctx == ssl->ctx) {
+ return NGX_OK;
+ }
+
+ if (ctx == c->ssl->session_ctx && (ssl->ctx == NULL || name == NULL)) {
+ return NGX_OK;
+ }
+
+ return NGX_ERROR;
+
+#else
+
+ return NGX_OK;
+
+#endif
+}
+
+
+ngx_int_t
ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
s->data = (u_char *) SSL_get_version(c->ssl->connection);
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -259,6 +259,7 @@ ngx_ssl_session_t *ngx_ssl_get0_session(
|| n == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)
ngx_int_t ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name);
+ngx_int_t ngx_ssl_check_verify_context(ngx_connection_t *c, ngx_ssl_t *ssl);
ngx_int_t ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool,
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -2073,6 +2073,16 @@ ngx_http_process_request(ngx_http_reques
sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
if (sscf->verify) {
+
+ if (ngx_ssl_check_verify_context(c, &sscf->ssl) != NGX_OK) {
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "client SSL certificate was negotiated "
+ "with a different server name");
+
+ ngx_http_finalize_request(r, NGX_HTTP_MISDIRECTED_REQUEST);
+ return;
+ }
+
rc = SSL_get_verify_result(c->ssl->connection);
if (rc != X509_V_OK
@@ -2280,22 +2290,10 @@ ngx_http_set_virtual_server(ngx_http_req
#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
if (hc->ssl_servername) {
- ngx_http_ssl_srv_conf_t *sscf;
-
if (rc == NGX_DECLINED) {
cscf = hc->addr_conf->default_server;
rc = NGX_OK;
}
-
- sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
-
- if (sscf->verify) {
- ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
- "client attempted to request the server name "
- "different from the one that was negotiated");
- ngx_http_finalize_request(r, NGX_HTTP_MISDIRECTED_REQUEST);
- return NGX_ERROR;
- }
}
#endif
More information about the nginx-devel
mailing list