Opened 8 years ago
Closed 8 years ago
#1192 closed defect (fixed)
ssl configuration inherited from the wrong server block
| Reported by: | Alexey Ivanov | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.11.x |
| Keywords: | Cc: | ||
| uname -a: | Linux 3.16.XXXX x86_64 | ||
| nginx -V: |
% ./objs/nginx -V
nginx version: nginx/1.11.10 built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) built with OpenSSL 1.0.1 14 Mar 2012 TLS SNI support enabled configure arguments: --with-http_ssl_module --with-debug --with-http_v2_module |
||
Description
I have the following configuration:
daemon off;
master_process off;
error_log stderr debug;
events {
worker_connections 1024;
}
http {
# catch-all HTTPS server
server {
listen 127.0.0.1:9443 ssl http2;
server_name _;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
return 444;
}
}
# HTTPS server
server {
listen 127.0.0.1:9443 ssl http2;
server_name example.com;
# THIS DOES NOT WORK
ssl_buffer_size 4k;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
root html;
}
}
}
... its aim is to drop all traffic with domain name != example.com
Though if you curl a big file there, e.g.:
curl -s -o /dev/null -k -v --resolve example.com:9443:127.0.0.1 'https://example.com:9443/somebigfile'
you can see that nginx is not applying ssl_buffer_size from the server block with a proper server_name, but instead is using 16k (| fgrep 'SSL_write:'), which I assume is inherited from block with server_name _.
PS. It most likely behaves like that for all ssl_ directives, including ssl_certificate and ssl_certificate_key, not only for the ssl_buffer_size.
PPS. curl is using SNI, so nginx should have enough data to pick proper server block during the ssl negotiation step.
Change History (4)
comment:1 by , 8 years ago
comment:4 by , 8 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
Please try the following patch:
# HG changeset patch # User Maxim Dounin <mdounin@mdounin.ru> # Date 1485883153 -10800 # Tue Jan 31 20:19:13 2017 +0300 # Node ID f67c796d6cfbf4e86c314db9a9d07e9f75c12e54 # Parent d30ca36a40deccdaf49ea46ce6f2750d8aa02d9f SSL: fixed ssl_buffer_size on SNI virtual hosts (ticket #1192). Previously, buffer size was not changed from the one saved during initial ngx_ssl_create_connection(), even if the buffer itself was not yet created. Fix is to change c->ssl->buffer_size in the SNI callback. Note that it should be also possible to update buffer size even in non-SNI virtual hosts as long as the buffer is not yet allocated. This looks like an overcomplication though. diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -884,6 +884,8 @@ ngx_http_ssl_servername(ngx_ssl_conn_t * sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); + c->ssl->buffer_size = sscf->buffer_size; + if (sscf->ssl.ctx) { SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx);