LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6754 Commits
1 Branch
46 MiB
Tree: 2b9f64ebde
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2b9f64ebde'
${ noResults }
openwrt-packages-dist/net/haproxy/patches/0016-BUG-MEDIUM-ssl-for-a-h...

66 lines
2.5 KiB
Raw Normal View History

haproxy: bump to 1.7.1-19 - fix wrong ncurses depency - integrate patches from mainline Signed-off-by: heil <heil@terminal-consulting.de>
8 years ago
 
  1. From 5fbcf1a914507b4c73d83387fdc5e8f612d83558 Mon Sep 17 00:00:00 2001
  2. From: Willy Tarreau <w@1wt.eu>
  3. Date: Thu, 22 Dec 2016 21:58:38 +0100
  4. Subject: [PATCH 16/19] BUG/MEDIUM: ssl: for a handshake when server-side SNI
  5.  changes
  6. 

  7. Calling SSL_set_tlsext_host_name() on the current SSL ctx has no effect
  8. if the session is being resumed because the hostname is already stored
  9. in the session and is not advertised again in subsequent connections.
  10. It's visible when enabling SNI and health checks at the same time because
  11. checks do not send an SNI and regular traffic reuses the same connection,
  12. resulting in no SNI being sent.
  13. 

  14. The only short-term solution is to reset the reused session when the
  15. SNI changes compared to the previous one. It can make the server-side
  16. performance suffer when SNIs are interleaved but it will work. A better
  17. long-term solution would be to keep a small cache of a few contexts for
  18. a few SNIs.
  19. 

  20. Now with SSL_set_session(ctx, NULL) it works. This needs to be double-
  21. checked though. The man says that SSL_set_session() frees any previously
  22. existing context. Some people report a bit of breakage when calling
  23. SSL_set_session(NULL) on openssl 1.1.0a (freed session not reusable at
  24. all though it's not an issue for now).
  25. 

  26. This needs to be backported to 1.7 and 1.6.
  27. (cherry picked from commit 119a4084bf88418bce74d8af686576e371700c20)
  28. ---

  29.  src/ssl_sock.c | 15 +++++++++++++++
  30.  1 file changed, 15 insertions(+)
  31. 

  32. diff --git a/src/ssl_sock.c b/src/ssl_sock.c

  33. index 55eaa28..77fb4b3 100644

  34. --- a/src/ssl_sock.c

  35. +++ b/src/ssl_sock.c

  36. @@ -4143,12 +4143,27 @@ char *ssl_sock_get_version(struct connection *conn)

  37.  	return (char *)SSL_get_version(conn->xprt_ctx);
  38.  }
  39.  
  40. +/* Sets advertised SNI for outgoing connections. Please set <hostname> to NULL

  41. + * to disable SNI.

  42. + */

  43.  void ssl_sock_set_servername(struct connection *conn, const char *hostname)
  44.  {
  45.  #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
  46. +	char *prev_name;

  47. +

  48.  	if (!ssl_sock_is_ssl(conn))
  49.  		return;
  50.  
  51. +	/* if the SNI changes, we must destroy the reusable context so that a

  52. +	 * new connection will present a new SNI. As an optimization we could

  53. +	 * later imagine having a small cache of ssl_ctx to hold a few SNI per

  54. +	 * server.

  55. +	 */

  56. +	prev_name = (char *)SSL_get_servername(conn->xprt_ctx, TLSEXT_NAMETYPE_host_name);

  57. +	if ((!prev_name && hostname) ||

  58. +	    (prev_name && (!hostname || strcmp(hostname, prev_name) != 0)))

  59. +		SSL_set_session(conn->xprt_ctx, NULL);

  60. +

  61.  	SSL_set_tlsext_host_name(conn->xprt_ctx, hostname);
  62.  #endif
  63.  }
  64. -- 

  65. 2.10.2
  66.