diff options
author | Andrey Suvorov <a.suvorov@f5.com> | 2021-07-22 11:23:48 -0700 |
---|---|---|
committer | Andrey Suvorov <a.suvorov@f5.com> | 2021-07-22 11:23:48 -0700 |
commit | f965e358b6ca878ead629dffb2f0df57230995ea (patch) | |
tree | 047c668d5ccb94f62dad35ac27e2478e330c42e0 /src | |
parent | c37ff7ed0ed06b0e928efdb217a8999ff3ff7f50 (diff) | |
download | unit-f965e358b6ca878ead629dffb2f0df57230995ea.tar.gz unit-f965e358b6ca878ead629dffb2f0df57230995ea.tar.bz2 |
Changing SNI callback return code if a client sends no SNI.
When a client sends no SNI is a common situation. But currently the server
processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing
termination of a current TLS session. The problem occurs if configuration has
more than one certificate bundle in a listener.
This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a
message.
Diffstat (limited to '')
-rw-r--r-- | src/nxt_openssl.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c index 3b5d4fda..297e11cf 100644 --- a/src/nxt_openssl.c +++ b/src/nxt_openssl.c @@ -804,15 +804,15 @@ nxt_openssl_servername(SSL *s, int *ad, void *arg) } servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); - if (nxt_slow_path(servername == NULL)) { - nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned " - "NULL in server name callback"); - return SSL_TLSEXT_ERR_ALERT_FATAL; + + if (servername == NULL) { + nxt_debug(c->socket.task, "SSL_get_servername(): NULL"); + goto done; } str.length = nxt_strlen(servername); if (str.length == 0) { - nxt_debug(c->socket.task, "client sent zero-length server name"); + nxt_debug(c->socket.task, "SSL_get_servername(): \"\" is empty"); goto done; } |