Mercurial > nginx

changeset 9458:a248091b0e30

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SNI: support for early ClientHello callback with BoringSSL. This brings feature parity with OpenSSL after the previous change, making it possible to set SSL protocols per virtual server.
author Sergey Kandaurov <pluknet@nginx.com>
date Mon, 22 Sep 2025 19:55:16 +0400
parents fa9e8292a672
children f0919241f8a4
files src/event/ngx_event_openssl.c src/event/ngx_event_openssl.h src/http/ngx_http_request.c src/stream/ngx_stream_ssl_module.c
diffstat 4 files changed, 49 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/event/ngx_event_openssl.c	Tue Jan 28 00:53:15 2025 +0400
+++ b/src/event/ngx_event_openssl.c	Mon Sep 22 19:55:16 2025 +0400
@@ -1663,6 +1663,11 @@
     SSL_CTX_set_client_hello_cb(ssl_ctx, ngx_ssl_client_hello_callback, NULL);
     SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
 
+#elif defined OPENSSL_IS_BORINGSSL
+
+    SSL_CTX_set_select_certificate_cb(ssl_ctx, ngx_ssl_select_certificate);
+    SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
+
 #endif
 }
 
@@ -1727,6 +1732,37 @@
     return SSL_CLIENT_HELLO_SUCCESS;
 }
 
+#elif defined OPENSSL_IS_BORINGSSL
+
+enum ssl_select_cert_result_t ngx_ssl_select_certificate(
+    const SSL_CLIENT_HELLO *client_hello)
+{
+    int                        ad;
+    ngx_int_t                  rc;
+    ngx_ssl_conn_t            *ssl_conn;
+    ngx_connection_t          *c;
+    ngx_ssl_client_hello_arg  *cb;
+
+    ssl_conn = client_hello->ssl;
+    c = ngx_ssl_get_connection(ssl_conn);
+    cb = SSL_CTX_get_ex_data(c->ssl->session_ctx,
+                             ngx_ssl_client_hello_arg_index);
+
+    /*
+     * BoringSSL sends a hardcoded "handshake_failure" alert on errors,
+     * we use it to map SSL_AD_INTERNAL_ERROR.  To preserve other alert
+     * values, error handling is postponed to the servername callback.
+     */
+
+    rc = cb->servername(ssl_conn, &ad, NULL);
+
+    if (rc == SSL_TLSEXT_ERR_ALERT_FATAL && ad == SSL_AD_INTERNAL_ERROR) {
+        return ssl_select_cert_error;
+    }
+
+    return ssl_select_cert_success;
+}
+
 #endif
 
 
--- a/src/event/ngx_event_openssl.h	Tue Jan 28 00:53:15 2025 +0400
+++ b/src/event/ngx_event_openssl.h	Mon Sep 22 19:55:16 2025 +0400
@@ -298,6 +298,9 @@
     ngx_ssl_client_hello_arg *cb);
 #ifdef SSL_CLIENT_HELLO_SUCCESS
 int ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
+#elif defined OPENSSL_IS_BORINGSSL
+enum ssl_select_cert_result_t ngx_ssl_select_certificate(
+    const SSL_CLIENT_HELLO *client_hello);
 #endif
 
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
--- a/src/http/ngx_http_request.c	Tue Jan 28 00:53:15 2025 +0400
+++ b/src/http/ngx_http_request.c	Mon Sep 22 19:55:16 2025 +0400
@@ -895,6 +895,11 @@
         return SSL_TLSEXT_ERR_OK;
     }
 
+    if (c->ssl->handshake_rejected) {
+        *ad = SSL_AD_UNRECOGNIZED_NAME;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+
     hc = c->data;
 
     if (arg != NULL) {
--- a/src/stream/ngx_stream_ssl_module.c	Tue Jan 28 00:53:15 2025 +0400
+++ b/src/stream/ngx_stream_ssl_module.c	Mon Sep 22 19:55:16 2025 +0400
@@ -559,6 +559,11 @@
         return SSL_TLSEXT_ERR_OK;
     }
 
+    if (c->ssl->handshake_rejected) {
+        *ad = SSL_AD_UNRECOGNIZED_NAME;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
+    }
+
     s = c->data;
 
     if (arg) {