[ngx] - save SSL/TLS client hello extensions ids

Maxim Dounin mdounin at mdounin.ru
Wed Aug 23 16:11:12 UTC 2017


On Tue, Aug 22, 2017 at 09:58:32PM +0100, Paulo Pacheco wrote:

> Hi,
> Is this patch the right way to do it?
> My motivation was this: https://github.com/fooinha/nginx-ssl-ja3

Saving the list of TLS extensions for future use just in case we'll 
need it in some 3rd-party module looks suboptimal, so please don't 
expected this patch to be merged.


> @@ -1229,6 +1283,10 @@
>      ngx_ssl_clear_error(c->log);
> +#if OPENSSL_VERSION_NUMBER >= 0x10101000L
> +    SSL_CTX_set_early_cb(c->ssl->session_ctx, ngx_SSL_early_cb_fn, c);
> +#endif
> +

Modifications of SSL contexts should be done during configuration, 
not at run-time.  Instead, you should do this when a context is 
configured, somewhere in ngx_http_ssl_merge_srv_conf() after the 
ngx_ssl_create() call.

Note well that you can install callback in your own module - this 
will be a hack and the code will break if/when nginx will start 
using SSL_CTX_set_early_cb() for some reason, but this will allow 
your module to work for now without any modifications of nginx 
core.  This approach should be good enough at least for 

Maxim Dounin

More information about the nginx-devel mailing list