[ngx] - save SSL/TLS client hello extensions ids

Maxim Dounin mdounin at mdounin.ru
Wed Aug 23 16:11:12 UTC 2017


Hello!

On Tue, Aug 22, 2017 at 09:58:32PM +0100, Paulo Pacheco wrote:

> Hi,
> 
> Is this patch the right way to do it?
> 
> My motivation was this: https://github.com/fooinha/nginx-ssl-ja3

Saving the list of TLS extensions for future use just in case we'll 
need it in some 3rd-party module looks suboptimal, so please don't 
expected this patch to be merged.

[...]

> @@ -1229,6 +1283,10 @@
> 
>      ngx_ssl_clear_error(c->log);
> 
> +#if OPENSSL_VERSION_NUMBER >= 0x10101000L
> +    SSL_CTX_set_early_cb(c->ssl->session_ctx, ngx_SSL_early_cb_fn, c);
> +#endif
> +

Modifications of SSL contexts should be done during configuration, 
not at run-time.  Instead, you should do this when a context is 
configured, somewhere in ngx_http_ssl_merge_srv_conf() after the 
ngx_ssl_create() call.

Note well that you can install callback in your own module - this 
will be a hack and the code will break if/when nginx will start 
using SSL_CTX_set_early_cb() for some reason, but this will allow 
your module to work for now without any modifications of nginx 
core.  This approach should be good enough at least for 
experiments.

-- 
Maxim Dounin
http://nginx.org/


More information about the nginx-devel mailing list