[nginx] svn commit: r5096 - trunk/src/http

vbart at nginx.com vbart at nginx.com
Wed Feb 27 17:41:34 UTC 2013 

Author: vbart
Date: 2013-02-27 17:41:34 +0000 (Wed, 27 Feb 2013)
New Revision: 5096
URL: http://trac.nginx.org/nginx/changeset/5096/nginx

Log:
SNI: added restriction on requesting host other than negotiated.

According to RFC 6066, client is not supposed to request a different server
name at the application layer.  Server implementations that rely upon these
names being equal must validate that a client did not send a different name
in HTTP request.  Current versions of Apache HTTP server always return 400
"Bad Request" in such cases.

There exist implementations however (e.g., SPDY) that rely on being able to
request different host names in one connection.  Given this, we only reject
requests with differing host names if verification of client certificates
is enabled in a corresponding server configuration.

An example of configuration that might not work as expected:

  server {
      listen 433 ssl default;
      return 404;
  }

  server {
      listen 433 ssl;
      server_name example.org;

      ssl_client_certificate org.cert;
      ssl_verify_client on;
  }

  server {
      listen 433 ssl;
      server_name example.com;

      ssl_client_certificate com.cert;
      ssl_verify_client on;
  }

Previously, a client was able to request example.com by presenting
a certificate for example.org, and vice versa.


Modified:
   trunk/src/http/ngx_http_request.c

Modified: trunk/src/http/ngx_http_request.c
===================================================================
--- trunk/src/http/ngx_http_request.c	2013-02-27 17:38:54 UTC (rev 5095)
+++ trunk/src/http/ngx_http_request.c	2013-02-27 17:41:34 UTC (rev 5096)
@@ -1872,10 +1872,22 @@
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 
     if (hc->ssl_servername) {
+        ngx_http_ssl_srv_conf_t  *sscf;
+
         if (rc == NGX_DECLINED) {
             cscf = hc->addr_conf->default_server;
             rc = NGX_OK;
         }
+
+        sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
+
+        if (sscf->verify) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client attempted to request the server name "
+                          "different from that one was negotiated");
+            ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+            return NGX_ERROR;
+        }
     }
 
 #endif

More information about the nginx-devel mailing list