From 0129f6788ee60e68bbe54a0c52201802f409f0a7 Mon Sep 17 00:00:00 2001 From: Nic Date: Tue, 10 Jun 2025 14:15:34 +0800 Subject: [PATCH 01/13] SNI: added restriction for TLSv1.3 cross-SNI session resumption Signed-off-by: Nic --- patch/1.21.4/nginx-sni_restriction.patch | 72 ++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 patch/1.21.4/nginx-sni_restriction.patch diff --git a/patch/1.21.4/nginx-sni_restriction.patch b/patch/1.21.4/nginx-sni_restriction.patch new file mode 100644 index 0000000..0c6639a --- /dev/null +++ b/patch/1.21.4/nginx-sni_restriction.patch @@ -0,0 +1,72 @@ +From 823e886851263a8ce84fd22aeead4c3aa819bce1 Mon Sep 17 00:00:00 2001 +From: Sergey Kandaurov +Date: Wed, 22 Jan 2025 18:55:44 +0400 +Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session + resumption. + +In OpenSSL, session resumption always happens in the default SSL context, +prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older +protocols, SSL_get_servername() returns values received in the resumption +handshake, which may be different from the value in the initial handshake. +Notably, this makes the restriction added in b720f650b insufficient for +sessions resumed with different SNI server name. + +Considering the example from b720f650b, previously, a client was able to +request example.org by presenting a certificate for example.org, then to +resume and request example.com. + +The fix is to reject handshakes resumed with a different server name, if +verification of client certificates is enabled in a corresponding server +configuration. +--- + src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +index 013b7158e..d5ac3d415 100644 +--- a/src/http/ngx_http_request.c ++++ b/src/http/ngx_http_request.c +@@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + goto done; + } + ++ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); ++ ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + goto error; +@@ -922,8 +947,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) + + ngx_set_connection_log(c, clcf->error_log); + +- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); +- + c->ssl->buffer_size = sscf->buffer_size; + + if (sscf->ssl.ctx) { +-- +2.43.0 + From af6b6fb10e727e55c21cab6ab5e7d2fe43700936 Mon Sep 17 00:00:00 2001 From: Nic Date: Tue, 10 Jun 2025 14:45:01 +0800 Subject: [PATCH 02/13] f Signed-off-by: Nic --- patch/1.21.4/nginx-sni_restriction.patch | 33 +++--------------------- 1 file changed, 3 insertions(+), 30 deletions(-) diff --git a/patch/1.21.4/nginx-sni_restriction.patch b/patch/1.21.4/nginx-sni_restriction.patch index 0c6639a..bafaaba 100644 --- a/patch/1.21.4/nginx-sni_restriction.patch +++ b/patch/1.21.4/nginx-sni_restriction.patch @@ -1,31 +1,7 @@ -From 823e886851263a8ce84fd22aeead4c3aa819bce1 Mon Sep 17 00:00:00 2001 -From: Sergey Kandaurov -Date: Wed, 22 Jan 2025 18:55:44 +0400 -Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session - resumption. - -In OpenSSL, session resumption always happens in the default SSL context, -prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older -protocols, SSL_get_servername() returns values received in the resumption -handshake, which may be different from the value in the initial handshake. -Notably, this makes the restriction added in b720f650b insufficient for -sessions resumed with different SNI server name. - -Considering the example from b720f650b, previously, a client was able to -request example.org by presenting a certificate for example.org, then to -resume and request example.com. - -The fix is to reject handshakes resumed with a different server name, if -verification of client certificates is enabled in a corresponding server -configuration. ---- - src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++-- - 1 file changed, 25 insertions(+), 2 deletions(-) - -diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c +diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c index 013b7158e..d5ac3d415 100644 ---- a/src/http/ngx_http_request.c -+++ b/src/http/ngx_http_request.c +--- src/http/ngx_http_request.c ++++ src/http/ngx_http_request.c @@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) goto done; } @@ -67,6 +43,3 @@ index 013b7158e..d5ac3d415 100644 c->ssl->buffer_size = sscf->buffer_size; if (sscf->ssl.ctx) { --- -2.43.0 - From 69a5ca0927d02f3f848d0d94487b0faf72c23a00 Mon Sep 17 00:00:00 2001 From: Nic Date: Thu, 12 Jun 2025 17:43:32 +0800 Subject: [PATCH 03/13] f Signed-off-by: Nic --- patch/1.21.4/nginx-sni_restriction.patch | 32 +++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/patch/1.21.4/nginx-sni_restriction.patch b/patch/1.21.4/nginx-sni_restriction.patch index bafaaba..87b599f 100644 --- a/patch/1.21.4/nginx-sni_restriction.patch +++ b/patch/1.21.4/nginx-sni_restriction.patch @@ -1,5 +1,5 @@ diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c -index 013b7158e..d5ac3d415 100644 +index 013b7158e..0f8e981b5 100644 --- src/http/ngx_http_request.c +++ src/http/ngx_http_request.c @@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) @@ -43,3 +43,33 @@ index 013b7158e..d5ac3d415 100644 c->ssl->buffer_size = sscf->buffer_size; if (sscf->ssl.ctx) { +@@ -958,6 +981,29 @@ done: + + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); + ++#if (defined TLS1_3_VERSION \ ++ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ if (sscf->verify) { ++ const char *hostname; ++ ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ } ++ ++#endif ++ + if (sscf->reject_handshake) { + c->ssl->handshake_rejected = 1; + *ad = SSL_AD_UNRECOGNIZED_NAME; From 7e50d8d4b21d9667dd1d1491d368818138fd4445 Mon Sep 17 00:00:00 2001 From: Nic Date: Thu, 12 Jun 2025 19:23:15 +0800 Subject: [PATCH 04/13] f Signed-off-by: Nic --- patch/1.21.4/nginx-sni_restriction.patch | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/patch/1.21.4/nginx-sni_restriction.patch b/patch/1.21.4/nginx-sni_restriction.patch index 87b599f..033639e 100644 --- a/patch/1.21.4/nginx-sni_restriction.patch +++ b/patch/1.21.4/nginx-sni_restriction.patch @@ -1,5 +1,5 @@ diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c -index 013b7158e..0f8e981b5 100644 +index 013b7158e..6bac89cf4 100644 --- src/http/ngx_http_request.c +++ src/http/ngx_http_request.c @@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) @@ -43,7 +43,7 @@ index 013b7158e..0f8e981b5 100644 c->ssl->buffer_size = sscf->buffer_size; if (sscf->ssl.ctx) { -@@ -958,6 +981,29 @@ done: +@@ -958,6 +981,27 @@ done: sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); @@ -56,16 +56,14 @@ index 013b7158e..0f8e981b5 100644 + * is only returned in OpenSSL 1.1.1+ as well + */ + -+ if (sscf->verify) { -+ const char *hostname; ++ const char *hostname; + -+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); + -+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { -+ c->ssl->handshake_rejected = 1; -+ *ad = SSL_AD_ACCESS_DENIED; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } ++ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { ++ c->ssl->handshake_rejected = 1; ++ *ad = SSL_AD_ACCESS_DENIED; ++ return SSL_TLSEXT_ERR_ALERT_FATAL; + } + +#endif From 9f39eacd4ce58815bf92e5ef99f6f1648be3e91e Mon Sep 17 00:00:00 2001 From: Nic Date: Thu, 12 Jun 2025 19:44:55 +0800 Subject: [PATCH 05/13] f Signed-off-by: Nic --- patch/1.21.4/nginx-sni_restriction.patch | 51 +++--------------------- 1 file changed, 5 insertions(+), 46 deletions(-) diff --git a/patch/1.21.4/nginx-sni_restriction.patch b/patch/1.21.4/nginx-sni_restriction.patch index 033639e..4b084c9 100644 --- a/patch/1.21.4/nginx-sni_restriction.patch +++ b/patch/1.21.4/nginx-sni_restriction.patch @@ -1,52 +1,11 @@ diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c -index 013b7158e..6bac89cf4 100644 +index 013b7158e..1d1c4968c 100644 --- src/http/ngx_http_request.c +++ src/http/ngx_http_request.c -@@ -909,6 +909,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) +@@ -898,6 +898,27 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) goto done; } -+ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); -+ -+#if (defined TLS1_3_VERSION \ -+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) -+ -+ /* -+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, -+ * but servername being negotiated in every TLSv1.3 handshake -+ * is only returned in OpenSSL 1.1.1+ as well -+ */ -+ -+ if (sscf->verify) { -+ const char *hostname; -+ -+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); -+ -+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { -+ c->ssl->handshake_rejected = 1; -+ *ad = SSL_AD_ACCESS_DENIED; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+ } -+ -+#endif -+ - hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); - if (hc->ssl_servername == NULL) { - goto error; -@@ -922,8 +947,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) - - ngx_set_connection_log(c, clcf->error_log); - -- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); -- - c->ssl->buffer_size = sscf->buffer_size; - - if (sscf->ssl.ctx) { -@@ -958,6 +981,27 @@ done: - - sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); - +#if (defined TLS1_3_VERSION \ + && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) + @@ -68,6 +27,6 @@ index 013b7158e..6bac89cf4 100644 + +#endif + - if (sscf->reject_handshake) { - c->ssl->handshake_rejected = 1; - *ad = SSL_AD_UNRECOGNIZED_NAME; + rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, + NULL, &cscf); + From 33a2fa783326818fb684618228b1da92fbf7fe1e Mon Sep 17 00:00:00 2001 From: Nic Date: Mon, 16 Jun 2025 16:57:49 +0800 Subject: [PATCH 06/13] feat: add api to get hostname of ssl session Signed-off-by: Nic --- .../lua-resty-core-ssl_session_hostname.patch | 77 +++++++++++++++++++ patch/1.21.4/nginx-sni_restriction.patch | 32 -------- .../1.21.4/ngx_lua-ssl_session_hostname.patch | 51 ++++++++++++ 3 files changed, 128 insertions(+), 32 deletions(-) create mode 100644 patch/1.21.4/lua-resty-core-ssl_session_hostname.patch delete mode 100644 patch/1.21.4/nginx-sni_restriction.patch create mode 100644 patch/1.21.4/ngx_lua-ssl_session_hostname.patch diff --git a/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch b/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch new file mode 100644 index 0000000..e3b12cd --- /dev/null +++ b/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch @@ -0,0 +1,77 @@ +diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua +index 8792be0..aa1d0f8 100644 +--- lib/ngx/ssl.lua ++++ lib/ngx/ssl.lua +@@ -26,6 +26,7 @@ local ngx_lua_ffi_ssl_set_der_private_key + local ngx_lua_ffi_ssl_raw_server_addr + local ngx_lua_ffi_ssl_server_port + local ngx_lua_ffi_ssl_server_name ++local ngx_lua_ffi_ssl_session_hostname + local ngx_lua_ffi_ssl_raw_client_addr + local ngx_lua_ffi_cert_pem_to_der + local ngx_lua_ffi_priv_key_pem_to_der +@@ -58,6 +59,9 @@ if subsystem == 'http' then + int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, + size_t *namelen, char **err); + ++ int ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name, ++ size_t *namelen, char **err); ++ + int ngx_http_lua_ffi_ssl_raw_client_addr(ngx_http_request_t *r, char **addr, + size_t *addrlen, int *addrtype, char **err); + +@@ -96,7 +100,7 @@ if subsystem == 'http' then + C.ngx_http_lua_ffi_ssl_set_der_private_key + ngx_lua_ffi_ssl_raw_server_addr = C.ngx_http_lua_ffi_ssl_raw_server_addr + ngx_lua_ffi_ssl_server_port = C.ngx_http_lua_ffi_ssl_server_port +- ngx_lua_ffi_ssl_server_name = C.ngx_http_lua_ffi_ssl_server_name ++ ngx_lua_ffi_ssl_session_hostname = C.ngx_http_lua_ffi_ssl_session_hostname + ngx_lua_ffi_ssl_raw_client_addr = C.ngx_http_lua_ffi_ssl_raw_client_addr + ngx_lua_ffi_cert_pem_to_der = C.ngx_http_lua_ffi_cert_pem_to_der + ngx_lua_ffi_priv_key_pem_to_der = C.ngx_http_lua_ffi_priv_key_pem_to_der +@@ -129,6 +133,9 @@ elseif subsystem == 'stream' then + int ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, + char **name, size_t *namelen, char **err); + ++ int ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r, ++ char **name, size_t *namelen, char **err); ++ + int ngx_stream_lua_ffi_ssl_raw_client_addr(ngx_stream_lua_request_t *r, + char **addr, size_t *addrlen, int *addrtype, char **err); + +@@ -168,6 +175,7 @@ elseif subsystem == 'stream' then + ngx_lua_ffi_ssl_raw_server_addr = C.ngx_stream_lua_ffi_ssl_raw_server_addr + ngx_lua_ffi_ssl_server_port = C.ngx_stream_lua_ffi_ssl_server_port + ngx_lua_ffi_ssl_server_name = C.ngx_stream_lua_ffi_ssl_server_name ++ ngx_lua_ffi_ssl_session_hostname = C.ngx_stream_lua_ffi_ssl_session_hostname + ngx_lua_ffi_ssl_raw_client_addr = C.ngx_stream_lua_ffi_ssl_raw_client_addr + ngx_lua_ffi_cert_pem_to_der = C.ngx_stream_lua_ffi_cert_pem_to_der + ngx_lua_ffi_priv_key_pem_to_der = C.ngx_stream_lua_ffi_priv_key_pem_to_der +@@ -299,6 +307,27 @@ function _M.server_name() + end + + ++function _M.session_hostname() ++ local r = get_request() ++ if not r then ++ error("no request found") ++ end ++ ++ local sizep = get_size_ptr() ++ ++ local rc = ngx_lua_ffi_ssl_session_hostname(r, charpp, sizep, errmsg) ++ if rc ~= FFI_OK then ++ return nil, ffi_str(errmsg[0]) ++ end ++ ++ if sizep[0] == 0 then ++ return nil ++ end ++ ++ return ffi_str(charpp[0], sizep[0]) ++end ++ ++ + function _M.raw_client_addr() + local r = get_request() + if not r then diff --git a/patch/1.21.4/nginx-sni_restriction.patch b/patch/1.21.4/nginx-sni_restriction.patch deleted file mode 100644 index 4b084c9..0000000 --- a/patch/1.21.4/nginx-sni_restriction.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff --git src/http/ngx_http_request.c src/http/ngx_http_request.c -index 013b7158e..1d1c4968c 100644 ---- src/http/ngx_http_request.c -+++ src/http/ngx_http_request.c -@@ -898,6 +898,27 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg) - goto done; - } - -+#if (defined TLS1_3_VERSION \ -+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL) -+ -+ /* -+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, -+ * but servername being negotiated in every TLSv1.3 handshake -+ * is only returned in OpenSSL 1.1.1+ as well -+ */ -+ -+ const char *hostname; -+ -+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); -+ -+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) { -+ c->ssl->handshake_rejected = 1; -+ *ad = SSL_AD_ACCESS_DENIED; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; -+ } -+ -+#endif -+ - rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, - NULL, &cscf); - diff --git a/patch/1.21.4/ngx_lua-ssl_session_hostname.patch b/patch/1.21.4/ngx_lua-ssl_session_hostname.patch new file mode 100644 index 0000000..8fa4734 --- /dev/null +++ b/patch/1.21.4/ngx_lua-ssl_session_hostname.patch @@ -0,0 +1,51 @@ +diff --git src/ngx_http_lua_ssl_certby.c src/ngx_http_lua_ssl_certby.c +index b8e70dde..f00f794f 100644 +--- src/ngx_http_lua_ssl_certby.c ++++ src/ngx_http_lua_ssl_certby.c +@@ -870,6 +870,46 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, + } + + ++int ++ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name, ++ size_t *namelen, char **err) ++{ ++ ngx_ssl_conn_t *ssl_conn; ++ ++ if (r->connection == NULL || r->connection->ssl == NULL) { ++ *err = "bad request"; ++ return NGX_ERROR; ++ } ++ ++ ssl_conn = r->connection->ssl->connection; ++ if (ssl_conn == NULL) { ++ *err = "bad ssl conn"; ++ return NGX_ERROR; ++ } ++ ++#if (defined(TLS1_3_VERSION) \ ++ && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (*name) { ++ *namelen = ngx_strlen(*name); ++ return NGX_OK; ++ } ++#endif ++ ++ *name = ""; ++ *namelen = 0; ++ return NGX_OK; ++} ++ ++ + int + ngx_http_lua_ffi_ssl_server_port(ngx_http_request_t *r, + unsigned short *server_port, char **err) From 5ee76353f6f34ad7c3de2c528c15d6667a46c189 Mon Sep 17 00:00:00 2001 From: Nic Date: Mon, 16 Jun 2025 17:00:32 +0800 Subject: [PATCH 07/13] f Signed-off-by: Nic --- .../lua-resty-core-ssl_session_hostname.patch | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch b/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch index e3b12cd..dd990d6 100644 --- a/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch +++ b/patch/1.21.4/lua-resty-core-ssl_session_hostname.patch @@ -1,5 +1,5 @@ diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua -index 8792be0..aa1d0f8 100644 +index 8792be0..16b9c13 100644 --- lib/ngx/ssl.lua +++ lib/ngx/ssl.lua @@ -26,6 +26,7 @@ local ngx_lua_ffi_ssl_set_der_private_key @@ -20,16 +20,15 @@ index 8792be0..aa1d0f8 100644 int ngx_http_lua_ffi_ssl_raw_client_addr(ngx_http_request_t *r, char **addr, size_t *addrlen, int *addrtype, char **err); -@@ -96,7 +100,7 @@ if subsystem == 'http' then - C.ngx_http_lua_ffi_ssl_set_der_private_key +@@ -97,6 +101,7 @@ if subsystem == 'http' then ngx_lua_ffi_ssl_raw_server_addr = C.ngx_http_lua_ffi_ssl_raw_server_addr ngx_lua_ffi_ssl_server_port = C.ngx_http_lua_ffi_ssl_server_port -- ngx_lua_ffi_ssl_server_name = C.ngx_http_lua_ffi_ssl_server_name + ngx_lua_ffi_ssl_server_name = C.ngx_http_lua_ffi_ssl_server_name + ngx_lua_ffi_ssl_session_hostname = C.ngx_http_lua_ffi_ssl_session_hostname ngx_lua_ffi_ssl_raw_client_addr = C.ngx_http_lua_ffi_ssl_raw_client_addr ngx_lua_ffi_cert_pem_to_der = C.ngx_http_lua_ffi_cert_pem_to_der ngx_lua_ffi_priv_key_pem_to_der = C.ngx_http_lua_ffi_priv_key_pem_to_der -@@ -129,6 +133,9 @@ elseif subsystem == 'stream' then +@@ -129,6 +134,9 @@ elseif subsystem == 'stream' then int ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, char **name, size_t *namelen, char **err); @@ -39,7 +38,7 @@ index 8792be0..aa1d0f8 100644 int ngx_stream_lua_ffi_ssl_raw_client_addr(ngx_stream_lua_request_t *r, char **addr, size_t *addrlen, int *addrtype, char **err); -@@ -168,6 +175,7 @@ elseif subsystem == 'stream' then +@@ -168,6 +176,7 @@ elseif subsystem == 'stream' then ngx_lua_ffi_ssl_raw_server_addr = C.ngx_stream_lua_ffi_ssl_raw_server_addr ngx_lua_ffi_ssl_server_port = C.ngx_stream_lua_ffi_ssl_server_port ngx_lua_ffi_ssl_server_name = C.ngx_stream_lua_ffi_ssl_server_name @@ -47,7 +46,7 @@ index 8792be0..aa1d0f8 100644 ngx_lua_ffi_ssl_raw_client_addr = C.ngx_stream_lua_ffi_ssl_raw_client_addr ngx_lua_ffi_cert_pem_to_der = C.ngx_stream_lua_ffi_cert_pem_to_der ngx_lua_ffi_priv_key_pem_to_der = C.ngx_stream_lua_ffi_priv_key_pem_to_der -@@ -299,6 +307,27 @@ function _M.server_name() +@@ -299,6 +308,27 @@ function _M.server_name() end From 9c48a08df6c9a60474708b7763a3831ce336286d Mon Sep 17 00:00:00 2001 From: Nic Date: Mon, 16 Jun 2025 18:01:50 +0800 Subject: [PATCH 08/13] f Signed-off-by: Nic --- patch/1.21.4/ngx_lua-ssl_session_hostname.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patch/1.21.4/ngx_lua-ssl_session_hostname.patch b/patch/1.21.4/ngx_lua-ssl_session_hostname.patch index 8fa4734..e83b412 100644 --- a/patch/1.21.4/ngx_lua-ssl_session_hostname.patch +++ b/patch/1.21.4/ngx_lua-ssl_session_hostname.patch @@ -1,5 +1,5 @@ diff --git src/ngx_http_lua_ssl_certby.c src/ngx_http_lua_ssl_certby.c -index b8e70dde..f00f794f 100644 +index b8e70dde..c3bfc790 100644 --- src/ngx_http_lua_ssl_certby.c +++ src/ngx_http_lua_ssl_certby.c @@ -870,6 +870,46 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, @@ -24,7 +24,7 @@ index b8e70dde..f00f794f 100644 + } + +#if (defined(TLS1_3_VERSION) \ -+ && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) ++ && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) + + /* + * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, From 9028f9a38dcaa6b8de51483f4a2f22cefac6e51e Mon Sep 17 00:00:00 2001 From: Nic Date: Wed, 18 Jun 2025 14:55:58 +0800 Subject: [PATCH 09/13] f Signed-off-by: Nic --- .../ngx_stream_lua-ssl_session_hostname.patch | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch diff --git a/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch b/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch new file mode 100644 index 0000000..08eb3a1 --- /dev/null +++ b/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch @@ -0,0 +1,54 @@ +diff --git src/ngx_stream_lua_ssl_certby.c src/ngx_stream_lua_ssl_certby.c +index 7b4cc5b..a67386d 100644 +--- src/ngx_stream_lua_ssl_certby.c ++++ src/ngx_stream_lua_ssl_certby.c +@@ -882,6 +882,49 @@ ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, char **name, + } + + ++int ++ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_request_t *r, char **name, ++ size_t *namelen, char **err) ++{ ++ ngx_ssl_conn_t *ssl_conn; ++ ++ if (r->connection == NULL || r->connection->ssl == NULL) { ++ *err = "bad request"; ++ return NGX_ERROR; ++ } ++ ++ ssl_conn = r->connection->ssl->connection; ++ if (ssl_conn == NULL) { ++ *err = "bad ssl conn"; ++ return NGX_ERROR; ++ } ++ ++#if (defined(TLS1_3_VERSION) \ ++ && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ SSL_SESSION *sess = SSL_get0_session(ssl_conn); ++ if (sess != NULL) { ++ *name = (char *) SSL_SESSION_get0_hostname(sess); ++ if (*name) { ++ *namelen = ngx_strlen(*name); ++ return NGX_OK; ++ } ++ } ++ ++#endif ++ ++ *name = ""; ++ *namelen = 0; ++ return NGX_OK; ++} ++ ++ + int + ngx_stream_lua_ffi_ssl_server_port(ngx_stream_lua_request_t *r, + unsigned short *server_port, char **err) From 338192b4791c83acb268b7237d67c5983160e9a3 Mon Sep 17 00:00:00 2001 From: Nic Date: Thu, 19 Jun 2025 15:37:54 +0800 Subject: [PATCH 10/13] f Signed-off-by: Nic --- patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch b/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch index 08eb3a1..f41d297 100644 --- a/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch +++ b/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch @@ -1,5 +1,5 @@ diff --git src/ngx_stream_lua_ssl_certby.c src/ngx_stream_lua_ssl_certby.c -index 7b4cc5b..a67386d 100644 +index 7b4cc5b..054a45e 100644 --- src/ngx_stream_lua_ssl_certby.c +++ src/ngx_stream_lua_ssl_certby.c @@ -882,6 +882,49 @@ ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, char **name, @@ -7,7 +7,7 @@ index 7b4cc5b..a67386d 100644 +int -+ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_request_t *r, char **name, ++ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r, char **name, + size_t *namelen, char **err) +{ + ngx_ssl_conn_t *ssl_conn; From 97d78233d8684d27cb34cab4307d0c51cd80dd58 Mon Sep 17 00:00:00 2001 From: Nic Date: Fri, 20 Jun 2025 15:30:32 +0800 Subject: [PATCH 11/13] f Signed-off-by: Nic --- .../ngx_stream_lua-ssl_session_hostname.patch | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch b/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch index f41d297..9e91666 100644 --- a/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch +++ b/patch/1.21.4/ngx_stream_lua-ssl_session_hostname.patch @@ -1,8 +1,8 @@ diff --git src/ngx_stream_lua_ssl_certby.c src/ngx_stream_lua_ssl_certby.c -index 7b4cc5b..054a45e 100644 +index 7b4cc5b..3aa44bb 100644 --- src/ngx_stream_lua_ssl_certby.c +++ src/ngx_stream_lua_ssl_certby.c -@@ -882,6 +882,49 @@ ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, char **name, +@@ -882,6 +882,46 @@ ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, char **name, } @@ -32,15 +32,12 @@ index 7b4cc5b..054a45e 100644 + * is only returned in OpenSSL 1.1.1+ as well + */ + -+ SSL_SESSION *sess = SSL_get0_session(ssl_conn); -+ if (sess != NULL) { -+ *name = (char *) SSL_SESSION_get0_hostname(sess); -+ if (*name) { -+ *namelen = ngx_strlen(*name); -+ return NGX_OK; -+ } -+ } ++ *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); + ++ if (*name) { ++ *namelen = ngx_strlen(*name); ++ return NGX_OK; ++ } +#endif + + *name = ""; From a45254ce096775de93d5adb6bc8d6e7438634b36 Mon Sep 17 00:00:00 2001 From: Nic Date: Mon, 23 Jun 2025 09:54:14 +0800 Subject: [PATCH 12/13] add patch for 1.27 Signed-off-by: Nic --- .../ngx_lua-ssl_session_hostname.patch | 51 +++++++++++++++++++ .../ngx_stream_lua-ssl_session_hostname.patch | 51 +++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 patch/1.27.1.1/ngx_lua-ssl_session_hostname.patch create mode 100644 patch/1.27.1.1/ngx_stream_lua-ssl_session_hostname.patch diff --git a/patch/1.27.1.1/ngx_lua-ssl_session_hostname.patch b/patch/1.27.1.1/ngx_lua-ssl_session_hostname.patch new file mode 100644 index 0000000..7a0bc85 --- /dev/null +++ b/patch/1.27.1.1/ngx_lua-ssl_session_hostname.patch @@ -0,0 +1,51 @@ +diff --git src/ngx_http_lua_ssl_certby.c src/ngx_http_lua_ssl_certby.c +index 72a651bd..7db28e10 100644 +--- src/ngx_http_lua_ssl_certby.c ++++ src/ngx_http_lua_ssl_certby.c +@@ -870,6 +870,46 @@ ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, + } + + ++int ++ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name, ++ size_t *namelen, char **err) ++{ ++ ngx_ssl_conn_t *ssl_conn; ++ ++ if (r->connection == NULL || r->connection->ssl == NULL) { ++ *err = "bad request"; ++ return NGX_ERROR; ++ } ++ ++ ssl_conn = r->connection->ssl->connection; ++ if (ssl_conn == NULL) { ++ *err = "bad ssl conn"; ++ return NGX_ERROR; ++ } ++ ++#if (defined(TLS1_3_VERSION) \ ++ && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (*name) { ++ *namelen = ngx_strlen(*name); ++ return NGX_OK; ++ } ++#endif ++ ++ *name = ""; ++ *namelen = 0; ++ return NGX_OK; ++} ++ ++ + int + ngx_http_lua_ffi_ssl_server_port(ngx_http_request_t *r, + unsigned short *server_port, char **err) diff --git a/patch/1.27.1.1/ngx_stream_lua-ssl_session_hostname.patch b/patch/1.27.1.1/ngx_stream_lua-ssl_session_hostname.patch new file mode 100644 index 0000000..9adef70 --- /dev/null +++ b/patch/1.27.1.1/ngx_stream_lua-ssl_session_hostname.patch @@ -0,0 +1,51 @@ +diff --git src/ngx_stream_lua_ssl_certby.c src/ngx_stream_lua_ssl_certby.c +index a34e187..0f65d82 100644 +--- src/ngx_stream_lua_ssl_certby.c ++++ src/ngx_stream_lua_ssl_certby.c +@@ -884,6 +884,46 @@ ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, char **name, + } + + ++int ++ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r, char **name, ++ size_t *namelen, char **err) ++{ ++ ngx_ssl_conn_t *ssl_conn; ++ ++ if (r->connection == NULL || r->connection->ssl == NULL) { ++ *err = "bad request"; ++ return NGX_ERROR; ++ } ++ ++ ssl_conn = r->connection->ssl->connection; ++ if (ssl_conn == NULL) { ++ *err = "bad ssl conn"; ++ return NGX_ERROR; ++ } ++ ++#if (defined(TLS1_3_VERSION) \ ++ && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)) ++ ++ /* ++ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+, ++ * but servername being negotiated in every TLSv1.3 handshake ++ * is only returned in OpenSSL 1.1.1+ as well ++ */ ++ ++ *name = (char *) SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn)); ++ ++ if (*name) { ++ *namelen = ngx_strlen(*name); ++ return NGX_OK; ++ } ++#endif ++ ++ *name = ""; ++ *namelen = 0; ++ return NGX_OK; ++} ++ ++ + int + ngx_stream_lua_ffi_ssl_server_port(ngx_stream_lua_request_t *r, + unsigned short *server_port, char **err) From c32d3941353ca95c3f0c938d5666993c6363e29b Mon Sep 17 00:00:00 2001 From: Nic Date: Mon, 23 Jun 2025 10:00:54 +0800 Subject: [PATCH 13/13] add patch for 1.27 Signed-off-by: Nic --- .../lua-resty-core-ssl_session_hostname.patch | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 patch/1.27.1.1/lua-resty-core-ssl_session_hostname.patch diff --git a/patch/1.27.1.1/lua-resty-core-ssl_session_hostname.patch b/patch/1.27.1.1/lua-resty-core-ssl_session_hostname.patch new file mode 100644 index 0000000..1ae2874 --- /dev/null +++ b/patch/1.27.1.1/lua-resty-core-ssl_session_hostname.patch @@ -0,0 +1,76 @@ +diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua +index b696bea..ff1f251 100644 +--- lib/ngx/ssl.lua ++++ lib/ngx/ssl.lua +@@ -26,6 +26,7 @@ local ngx_lua_ffi_ssl_set_der_private_key + local ngx_lua_ffi_ssl_raw_server_addr + local ngx_lua_ffi_ssl_server_port + local ngx_lua_ffi_ssl_server_name ++local ngx_lua_ffi_ssl_session_hostname + local ngx_lua_ffi_ssl_raw_client_addr + local ngx_lua_ffi_cert_pem_to_der + local ngx_lua_ffi_priv_key_pem_to_der +@@ -64,6 +65,9 @@ if subsystem == 'http' then + int ngx_http_lua_ffi_ssl_server_name(ngx_http_request_t *r, char **name, + size_t *namelen, char **err); + ++ int ngx_http_lua_ffi_ssl_session_hostname(ngx_http_request_t *r, char **name, ++ size_t *namelen, char **err); ++ + int ngx_http_lua_ffi_ssl_raw_client_addr(ngx_http_request_t *r, char **addr, + size_t *addrlen, int *addrtype, char **err); + +@@ -124,6 +128,7 @@ if subsystem == 'http' then + ngx_lua_ffi_ssl_raw_server_addr = C.ngx_http_lua_ffi_ssl_raw_server_addr + ngx_lua_ffi_ssl_server_port = C.ngx_http_lua_ffi_ssl_server_port + ngx_lua_ffi_ssl_server_name = C.ngx_http_lua_ffi_ssl_server_name ++ ngx_lua_ffi_ssl_session_hostname = C.ngx_http_lua_ffi_ssl_session_hostname + ngx_lua_ffi_ssl_raw_client_addr = C.ngx_http_lua_ffi_ssl_raw_client_addr + ngx_lua_ffi_cert_pem_to_der = C.ngx_http_lua_ffi_cert_pem_to_der + ngx_lua_ffi_priv_key_pem_to_der = C.ngx_http_lua_ffi_priv_key_pem_to_der +@@ -164,6 +169,9 @@ elseif subsystem == 'stream' then + int ngx_stream_lua_ffi_ssl_server_name(ngx_stream_lua_request_t *r, + char **name, size_t *namelen, char **err); + ++ int ngx_stream_lua_ffi_ssl_session_hostname(ngx_stream_lua_request_t *r, ++ char **name, size_t *namelen, char **err); ++ + int ngx_stream_lua_ffi_ssl_raw_client_addr(ngx_stream_lua_request_t *r, + char **addr, size_t *addrlen, int *addrtype, char **err); + +@@ -212,6 +220,7 @@ elseif subsystem == 'stream' then + ngx_lua_ffi_ssl_raw_server_addr = C.ngx_stream_lua_ffi_ssl_raw_server_addr + ngx_lua_ffi_ssl_server_port = C.ngx_stream_lua_ffi_ssl_server_port + ngx_lua_ffi_ssl_server_name = C.ngx_stream_lua_ffi_ssl_server_name ++ ngx_lua_ffi_ssl_session_hostname = C.ngx_stream_lua_ffi_ssl_session_hostname + ngx_lua_ffi_ssl_raw_client_addr = C.ngx_stream_lua_ffi_ssl_raw_client_addr + ngx_lua_ffi_cert_pem_to_der = C.ngx_stream_lua_ffi_cert_pem_to_der + ngx_lua_ffi_priv_key_pem_to_der = C.ngx_stream_lua_ffi_priv_key_pem_to_der +@@ -346,6 +355,27 @@ function _M.server_name() + end + + ++function _M.session_hostname() ++ local r = get_request() ++ if not r then ++ error("no request found") ++ end ++ ++ local sizep = get_size_ptr() ++ ++ local rc = ngx_lua_ffi_ssl_session_hostname(r, charpp, sizep, errmsg) ++ if rc ~= FFI_OK then ++ return nil, ffi_str(errmsg[0]) ++ end ++ ++ if sizep[0] == 0 then ++ return nil ++ end ++ ++ return ffi_str(charpp[0], sizep[0]) ++end ++ ++ + function _M.raw_client_addr() + local r = get_request() + if not r then