[PATCH] SNI: better server name handling.

Piotr Sikora piotr at cloudflare.com
Tue May 21 23:11:36 UTC 2013 

# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1369177319 25200
# Node ID 4b277448dfd56751c7c88477e78b2ba3cf6ae472
# Parent  1d68b502088c9d6e6603e9699354e36d03d77f9c
SNI: better server name handling.

Acknowledge acceptance of SNI server name to the OpenSSL library,
which in turn lets the client know that it was accepted (by sending
"server_name" TLS extension in the "ServerHello" handshake message,
as suggested by RFC4366).

Previously, this would happen only in case when requested server name
was on the "server_name" list and either: there were multiple virtual
servers defined for the same listening port or there was at least one
regular expression with captures in the "server_name" directive.

As a consequence, this change also:
1. Preserves requested SNI server name for future use.
2. Avoids unnecessary setting of SSL options if the virtual server
   didn't change.
3. Avoids unnecessary lookup of virtual server later on if requested
   HTTP server name is the same as requested SNI server name.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r 1d68b502088c -r 4b277448dfd5 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c       Tue May 21 21:47:50 2013 +0400
+++ b/src/http/ngx_http_request.c       Tue May 21 16:01:59 2013 -0700
@@ -773,6 +773,7 @@
     ngx_http_ssl_srv_conf_t   *sscf;
     ngx_http_core_loc_conf_t  *clcf;
     ngx_http_core_srv_conf_t  *cscf;
+    ngx_int_t                  rc;

     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);

@@ -799,10 +800,10 @@

     hc = c->data;

-    if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
-                                     NULL, &cscf)
-        != NGX_OK)
-    {
+    rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
+                                      NULL, &cscf);
+
+    if (rc == NGX_ERROR) {
         return SSL_TLSEXT_ERR_NOACK;
     }

@@ -813,6 +814,10 @@

     *hc->ssl_servername = host;

+    if (rc == NGX_DECLINED || hc->conf_ctx == cscf->ctx) {
+        return SSL_TLSEXT_ERR_OK;
+    }
+
     hc->conf_ctx = cscf->ctx;

     clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);

More information about the nginx-devel mailing list