[ngx] - save SSL/TLS client hello extensions ids
Maxim Dounin
mdounin at mdounin.ru
Wed Aug 23 16:11:12 UTC 2017
Hello!
On Tue, Aug 22, 2017 at 09:58:32PM +0100, Paulo Pacheco wrote:
> Hi,
>
> Is this patch the right way to do it?
>
> My motivation was this: https://github.com/fooinha/nginx-ssl-ja3
Saving the list of TLS extensions for future use just in case we'll
need it in some 3rd-party module looks suboptimal, so please don't
expected this patch to be merged.
[...]
> @@ -1229,6 +1283,10 @@
>
> ngx_ssl_clear_error(c->log);
>
> +#if OPENSSL_VERSION_NUMBER >= 0x10101000L
> + SSL_CTX_set_early_cb(c->ssl->session_ctx, ngx_SSL_early_cb_fn, c);
> +#endif
> +
Modifications of SSL contexts should be done during configuration,
not at run-time. Instead, you should do this when a context is
configured, somewhere in ngx_http_ssl_merge_srv_conf() after the
ngx_ssl_create() call.
Note well that you can install callback in your own module - this
will be a hack and the code will break if/when nginx will start
using SSL_CTX_set_early_cb() for some reason, but this will allow
your module to work for now without any modifications of nginx
core. This approach should be good enough at least for
experiments.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list