summaryrefslogtreecommitdiffhomepage
path: root/src
diff options
context:
space:
mode:
authorAndrey Suvorov <a.suvorov@f5.com>2021-07-22 11:23:48 -0700
committerAndrey Suvorov <a.suvorov@f5.com>2021-07-22 11:23:48 -0700
commitf965e358b6ca878ead629dffb2f0df57230995ea (patch)
tree047c668d5ccb94f62dad35ac27e2478e330c42e0 /src
parentc37ff7ed0ed06b0e928efdb217a8999ff3ff7f50 (diff)
downloadunit-f965e358b6ca878ead629dffb2f0df57230995ea.tar.gz
unit-f965e358b6ca878ead629dffb2f0df57230995ea.tar.bz2
Changing SNI callback return code if a client sends no SNI.
When a client sends no SNI is a common situation. But currently the server processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing termination of a current TLS session. The problem occurs if configuration has more than one certificate bundle in a listener. This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a message.
Diffstat (limited to '')
-rw-r--r--src/nxt_openssl.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c
index 3b5d4fda..297e11cf 100644
--- a/src/nxt_openssl.c
+++ b/src/nxt_openssl.c
@@ -804,15 +804,15 @@ nxt_openssl_servername(SSL *s, int *ad, void *arg)
}
servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
- if (nxt_slow_path(servername == NULL)) {
- nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned "
- "NULL in server name callback");
- return SSL_TLSEXT_ERR_ALERT_FATAL;
+
+ if (servername == NULL) {
+ nxt_debug(c->socket.task, "SSL_get_servername(): NULL");
+ goto done;
}
str.length = nxt_strlen(servername);
if (str.length == 0) {
- nxt_debug(c->socket.task, "client sent zero-length server name");
+ nxt_debug(c->socket.task, "SSL_get_servername(): \"\" is empty");
goto done;
}