Changeset 64470ce in mod_gnutls for src/gnutls_hooks.c

Timestamp:

Nov 6, 2018, 12:50:05 PM (15 months ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

debian/master, master

Children:

a939015

Parents:

79fc46b

Message:

Load credentials and prepare ALPN in pre client hello hook

This fully enables early SNI, falling back to default virtual host
ALPN and post client hello SNI if early SNI is not available.

File:

• src/gnutls_hooks.c (modified) (5 diffs)

src/gnutls_hooks.c

@@ -365 +365 @@
     mgs_handle_t *ctxt = gnutls_session_get_ptr(session);
 
-    /* try to find a virtual host */
-    mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt);
-    if (tsc != NULL)
-    {
-        /* Found a TLS vhost based on the SNI, configure the
-         * connection context. */
-        ctxt->sc = tsc;
-        }
-
-    reload_session_credentials(ctxt);
+    /* If ctxt->sni_name is set at this point the early_sni_hook()
+     * function ran, found an SNI server name, selected a virtual
+     * host, and set up credentials, so we don't need to do that
+     * again. Otherwise try again, to cover GnuTLS versions < 3.6.3
+     * and pick up future extensions to gnutls_server_name_get(). */
+    if (ctxt->sni_name == NULL)
+    {
+        /* try to find a virtual host */
+        mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt);
+        if (tsc != NULL)
+        {
+            /* Found a TLS vhost based on the SNI, configure the
+             * connection context. */
+            ctxt->sc = tsc;
+        }
+
+        ap_log_cerror(APLOG_MARK, APLOG_TRACE1, APR_SUCCESS, ctxt->c,
+                      "%s: Loading credentials in post client hello hook",
+                      __func__);
+        reload_session_credentials(ctxt);
+    }
 
     ret = process_alpn_result(ctxt);
@@ -1032 +1043 @@
     }
 
-    ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
-                  "%s: Trying early SNI.",
-                  __func__);
-
     int ret = gnutls_ext_raw_parse(session, mgs_sni_ext_hook, msg,
                                    GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
     if (ret == 0 && ctxt->sni_name != NULL)
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
-                      "%s: Early SNI result: %s",
+                      "%s found SNI name: '%s'",
                       __func__, ctxt->sni_name);
+
+    /* try to find a virtual host for that name */
+    mgs_srvconf_rec *tsc = mgs_find_sni_server(ctxt);
+    if (tsc != NULL)
+    {
+        /* Found a TLS vhost based on the SNI, configure the
+         * connection context. */
+        ctxt->sc = tsc;
+        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, ctxt->c,
+                      "%s: Selected virtual host %s from early SNI, "
+                      "connection server is still %s.",
+                      __func__, ctxt->sc->s->server_hostname,
+                      ctxt->c->base_server->server_hostname);
+    }
+
+    reload_session_credentials(ctxt);
+
+    prepare_alpn_proposals(ctxt);
+
     return ret;
 }
@@ -1138 +1164 @@
         ap_log_cerror(APLOG_MARK, APLOG_ERR, err, c,
                       "gnutls_priority_set failed!");
+
 #ifdef ENABLE_EARLY_SNI
     /* Pre-handshake hook, EXPERIMENTAL */
@@ -1143 +1170 @@
                                        GNUTLS_HANDSHAKE_CLIENT_HELLO,
                                        GNUTLS_HOOK_PRE, early_sni_hook);
+#else
+    prepare_alpn_proposals(ctxt);
 #endif
-    /* Set Handshake function */
+
+    /* Post client hello hook (called after GnuTLS has parsed it) */
     gnutls_handshake_set_post_client_hello_function(ctxt->session,
             mgs_select_virtual_server_cb);
@@ -1172 +1202 @@
                           __func__, gnutls_strerror(err), err);
     }
-
-    prepare_alpn_proposals(ctxt);
 
     /* Initialize Session Cache */