ngx_stream_ssl_preread_module does not seem to extract the server_name when connecting with openconnect

Roman Arutyunyan arut at nginx.com
Thu Dec 15 17:22:16 UTC 2016


Hi Thomas,

On Thu, Dec 15, 2016 at 05:50:48PM +0100, Thomas Glanzmann wrote:
> Hello Roman,
> 
> > You can try logging $ssl_preread_server_name in access_log.
> 
> thank you. It seems that nginx is not able to extract the server_name
> from openconnect correctly:
> 
> 2a01:598:8181:37ef:95e1:682:4c98:449e - [15/Dec/2016:17:45:57 +0100] ""
> 
> When I connect with a browser:
> 
> 2a01:598:8181:37ef:95e1:682:4c98:449e - [15/Dec/2016:17:46:20 +0100] "vpn.gmvl.de"
> 
> This seems to be one problem. And another problem seems that backend
> communication between nginx and ocserv using the proxy protocol.
> 
> Here is tcpdump of the openconnect ssl handshake with nginx:
> 
> https://thomas.glanzmann.de/tmp/openconnect_sni.pcap
> 
> I'm using the command line 'openconnect vpn.gmvl.de'.

Please try the attached patch.

-- 
Roman Arutyunyan
-------------- next part --------------
# HG changeset patch
# User Roman Arutyunyan <arut at nginx.com>
# Date 1481822378 -10800
#      Thu Dec 15 20:19:38 2016 +0300
# Node ID 424e4b3b9c861df69360d2bf7d7efce495c27ea7
# Parent  da5604455090c04fbdc2114b9de46a3bb9b30e78
Stream ssl_preread: relaxed SSL version check.

SSL version 3.0 can be specified by the client at the record level for
compatibility reasons.  Previously, ssl_preread module rejected such
connections, presuming they don't have SNI.  Now SSL 3.0 is allowed at record
level.

diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c
--- a/src/stream/ngx_stream_ssl_preread_module.c
+++ b/src/stream/ngx_stream_ssl_preread_module.c
@@ -142,7 +142,7 @@ ngx_stream_ssl_preread_handler(ngx_strea
             return NGX_DECLINED;
         }
 
-        if (p[1] != 3 || p[2] == 0) {
+        if (p[1] != 3) {
             ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
                            "ssl preread: unsupported SSL version");
             return NGX_DECLINED;


More information about the nginx mailing list