Opened 4 years ago

Closed 4 years ago

#1192 closed defect (fixed)

ssl configuration inherited from the wrong server block

Reported by: Alexey Ivanov Owned by:
Priority: minor Milestone:
Component: other Version: 1.11.x
Keywords: Cc:
uname -a: Linux 3.16.XXXX x86_64
nginx -V: % ./objs/nginx -V
nginx version: nginx/1.11.10
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
built with OpenSSL 1.0.1 14 Mar 2012
TLS SNI support enabled
configure arguments: --with-http_ssl_module --with-debug --with-http_v2_module

Description

I have the following configuration:

daemon off;
master_process off;

error_log stderr debug;

events {
    worker_connections  1024;
}


http {
    # catch-all HTTPS server
    server {
        listen       127.0.0.1:9443 ssl http2;
        server_name  _;

        ssl_certificate      server.crt;
        ssl_certificate_key  server.key;
        location / {
            return 444;
        }
    }

    # HTTPS server
    server {
        listen       127.0.0.1:9443 ssl http2;
        server_name  example.com;

        # THIS DOES NOT WORK
        ssl_buffer_size 4k;

        ssl_certificate      server.crt;
        ssl_certificate_key  server.key;

        location / {
            root   html;
        }
    }
}

... its aim is to drop all traffic with domain name != example.com

Though if you curl a big file there, e.g.:

curl -s -o /dev/null -k -v --resolve example.com:9443:127.0.0.1 'https://example.com:9443/somebigfile'

you can see that nginx is not applying ssl_buffer_size from the server block with a proper server_name, but instead is using 16k (| fgrep 'SSL_write:'), which I assume is inherited from block with server_name _.

PS. It most likely behaves like that for all ssl_ directives, including ssl_certificate and ssl_certificate_key, not only for the ssl_buffer_size.
PPS. curl is using SNI, so nginx should have enough data to pick proper server block during the ssl negotiation step.

Change History (4)

comment:1 by Maxim Dounin, 4 years ago

Please try the following patch:

# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1485883153 -10800
#      Tue Jan 31 20:19:13 2017 +0300
# Node ID f67c796d6cfbf4e86c314db9a9d07e9f75c12e54
# Parent  d30ca36a40deccdaf49ea46ce6f2750d8aa02d9f
SSL: fixed ssl_buffer_size on SNI virtual hosts (ticket #1192).

Previously, buffer size was not changed from the one saved during
initial ngx_ssl_create_connection(), even if the buffer itself was not
yet created.  Fix is to change c->ssl->buffer_size in the SNI callback.

Note that it should be also possible to update buffer size even in non-SNI
virtual hosts as long as the buffer is not yet allocated.  This looks
like an overcomplication though.

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -884,6 +884,8 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *
 
     sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
 
+    c->ssl->buffer_size = sscf->buffer_size;
+
     if (sscf->ssl.ctx) {
         SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);
 

comment:2 by Alexey Ivanov, 4 years ago

Patch worked great, thanks.

comment:3 by Maxim Dounin <mdounin@…>, 4 years ago

In 6901:72bb626484a4/nginx:

SSL: fixed ssl_buffer_size on SNI virtual hosts (ticket #1192).

Previously, buffer size was not changed from the one saved during
initial ngx_ssl_create_connection(), even if the buffer itself was not
yet created. Fix is to change c->ssl->buffer_size in the SNI callback.

Note that it should be also possible to update buffer size even in non-SNI
virtual hosts as long as the buffer is not yet allocated. This looks
like an overcomplication though.

comment:4 by Maxim Dounin, 4 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.