diff options
| -rw-r--r-- | docs/changes.xml | 8 | ||||
| -rw-r--r-- | src/nxt_openssl.c | 10 |
2 files changed, 13 insertions, 5 deletions
diff --git a/docs/changes.xml b/docs/changes.xml index 2aa9bb65..634bf9cd 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -45,6 +45,14 @@ process and thread lifecycle hooks in Ruby. <change type="bugfix"> <para> +TLS connection was rejected for configuration with more than one +certificate bundle in a listener if a client did not use SNI. +</para> +</change> + + +<change type="bugfix"> +<para> the router process could crash on TLS connection open when multiple listeners with TLS certificate configured; the bug had appeared in 1.23.0. </para> diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c index 3b5d4fda..297e11cf 100644 --- a/src/nxt_openssl.c +++ b/src/nxt_openssl.c @@ -804,15 +804,15 @@ nxt_openssl_servername(SSL *s, int *ad, void *arg) } servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); - if (nxt_slow_path(servername == NULL)) { - nxt_log(c->socket.task, NXT_LOG_ALERT, "SSL_get_servername() returned " - "NULL in server name callback"); - return SSL_TLSEXT_ERR_ALERT_FATAL; + + if (servername == NULL) { + nxt_debug(c->socket.task, "SSL_get_servername(): NULL"); + goto done; } str.length = nxt_strlen(servername); if (str.length == 0) { - nxt_debug(c->socket.task, "client sent zero-length server name"); + nxt_debug(c->socket.task, "SSL_get_servername(): \"\" is empty"); goto done; } |