Changeset 64470ce in mod_gnutls


Ignore:
Timestamp:
Nov 6, 2018, 12:50:05 PM (4 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
a939015
Parents:
79fc46b
Message:

Load credentials and prepare ALPN in pre client hello hook

This fully enables early SNI, falling back to default virtual host
ALPN and post client hello SNI if early SNI is not available.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r79fc46b r64470ce  
    365365    mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
    366366
    367     /* try to find a virtual host */
    368     mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt);
    369     if (tsc != NULL)
    370     {
    371         /* Found a TLS vhost based on the SNI, configure the
    372          * connection context. */
    373         ctxt->sc = tsc;
    374         }
    375 
    376     reload_session_credentials(ctxt);
     367    /* If ctxt->sni_name is set at this point the early_sni_hook()
     368     * function ran, found an SNI server name, selected a virtual
     369     * host, and set up credentials, so we don't need to do that
     370     * again. Otherwise try again, to cover GnuTLS versions < 3.6.3
     371     * and pick up future extensions to gnutls_server_name_get(). */
     372    if (ctxt->sni_name == NULL)
     373    {
     374        /* try to find a virtual host */
     375        mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt);
     376        if (tsc != NULL)
     377        {
     378            /* Found a TLS vhost based on the SNI, configure the
     379             * connection context. */
     380            ctxt->sc = tsc;
     381        }
     382
     383        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
     384                      "%s: Loading credentials in post client hello hook",
     385                      __func__);
     386        reload_session_credentials(ctxt);
     387    }
    377388
    378389    ret = process_alpn_result(ctxt);
     
    10321043    }
    10331044
    1034     ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
    1035                   "%s: Trying early SNI.",
    1036                   __func__);
    1037 
    10381045    int ret = gnutls_ext_raw_parse(session, mgs_sni_ext_hook, msg,
    10391046                                   GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
    10401047    if (ret == 0 && ctxt->sni_name != NULL)
    10411048        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
    1042                       "%s: Early SNI result: %s",
     1049                      "%s found SNI name: '%s'",
    10431050                      __func__, ctxt->sni_name);
     1051
     1052    /* try to find a virtual host for that name */
     1053    mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt);
     1054    if (tsc != NULL)
     1055    {
     1056        /* Found a TLS vhost based on the SNI, configure the
     1057         * connection context. */
     1058        ctxt->sc = tsc;
     1059        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
     1060                      "%s: Selected virtual host %s from early SNI, "
     1061                      "connection server is still %s.",
     1062                      __func__, ctxt->sc->s->server_hostname,
     1063                      ctxt->c->base_server->server_hostname);
     1064    }
     1065
     1066    reload_session_credentials(ctxt);
     1067
     1068    prepare_alpn_proposals(ctxt);
     1069
    10441070    return ret;
    10451071}
     
    11381164        ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
    11391165                      "gnutls_priority_set failed!");
     1166
    11401167#ifdef ENABLE_EARLY_SNI
    11411168    /* Pre-handshake hook, EXPERIMENTAL */
     
    11431170                                       GNUTLS_HANDSHAKE_CLIENT_HELLO,
    11441171                                       GNUTLS_HOOK_PRE, early_sni_hook);
     1172#else
     1173    prepare_alpn_proposals(ctxt);
    11451174#endif
    1146     /* Set Handshake function */
     1175
     1176    /* Post client hello hook (called after GnuTLS has parsed it) */
    11471177    gnutls_handshake_set_post_client_hello_function(ctxt->session,
    11481178            mgs_select_virtual_server_cb);
     
    11721202                          __func__, gnutls_strerror(err), err);
    11731203    }
    1174 
    1175     prepare_alpn_proposals(ctxt);
    11761204
    11771205    /* Initialize Session Cache */
Note: See TracChangeset for help on using the changeset viewer.