[ngx] - save SSL/TLS client hello extensions ids

Paulo Pacheco fooinha at gmail.com
Tue Aug 22 20:58:32 UTC 2017


Hi,

Is this patch the right way to do it?

My motivation was this: https://github.com/fooinha/nginx-ssl-ja3

Obrigado | Thanx | СПС
Paulo Pacheco | Паулу Пачеку


------------------------------------------ CUT HERE
------------------------------------------

diff -r 2e8de3d81783 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue Aug 22 17:36:12 2017 +0300
+++ b/src/event/ngx_event_openssl.c Tue Aug 22 20:20:30 2017 +0000
@@ -1221,6 +1221,60 @@
 }


+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+
+int
+ngx_SSL_early_cb_fn(SSL *s, int *al, void *arg) {
+
+    int               got_extensions;
+    int              *ext_out;
+    size_t            ext_len;
+    ngx_connection_t *c;
+
+    c = arg;
+
+    if (c == NULL) {
+        return 1;
+    }
+
+    if (c->ssl == NULL) {
+        return 1;
+    }
+
+    c->ssl->client_extensions_size = 0;
+    c->ssl->client_extensions = NULL;
+
+    got_extensions = SSL_early_get1_extensions_present(s,
+                                                       &ext_out,
+                                                       &ext_len);
+    if (!got_extensions) {
+        return 1;
+    }
+
+    if (!ext_out) {
+        return 1;
+    }
+
+    if (!ext_len) {
+        return 1;
+    }
+
+    c->ssl->client_extensions = ngx_palloc(c->pool, sizeof(int) * ext_len);
+    if (c->ssl->client_extensions == NULL) {
+        OPENSSL_free(ext_out);
+        return 1;
+    }
+
+    c->ssl->client_extensions_size = ext_len;
+    ngx_memcpy(c->ssl->client_extensions, ext_out, sizeof(int) * ext_len);
+
+    OPENSSL_free(ext_out);
+
+    return 1;
+}
+#endif
+
+
 ngx_int_t
 ngx_ssl_handshake(ngx_connection_t *c)
 {
@@ -1229,6 +1283,10 @@

     ngx_ssl_clear_error(c->log);

+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+    SSL_CTX_set_early_cb(c->ssl->session_ctx, ngx_SSL_early_cb_fn, c);
+#endif
+
     n = SSL_do_handshake(c->ssl->connection);

     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
diff -r 2e8de3d81783 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Tue Aug 22 17:36:12 2017 +0300
+++ b/src/event/ngx_event_openssl.h Tue Aug 22 20:20:30 2017 +0000
@@ -85,6 +85,11 @@
     unsigned                    no_wait_shutdown:1;
     unsigned                    no_send_shutdown:1;
     unsigned                    handshake_buffer_set:1;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+    size_t                      client_extensions_size;
+    int                        *client_extensions;
+#endif
 };


------------------------------------------ CUT HERE
------------------------------------------


More information about the nginx-devel mailing list