From: Remi Gacogne Date: Thu, 7 Jan 2021 15:41:32 +0000 (+0100) Subject: dnsdist: Fix SNI on resumed sessions by acknowledging the name sent by the client X-Git-Tag: rec-4.5.0-alpha1~31^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=767a9d3a727a4a3b4073f01fab4b2c1d7c55d73e;p=thirdparty%2Fpdns.git dnsdist: Fix SNI on resumed sessions by acknowledging the name sent by the client Otherwise `SSL_get_servername()` only returns true when the session has been freshly established, and will return `nullptr` when it is resumed. --- diff --git a/pdns/dnsdistdist/libssl.cc b/pdns/dnsdistdist/libssl.cc index 26647cddc5..deffcdbf49 100644 --- a/pdns/dnsdistdist/libssl.cc +++ b/pdns/dnsdistdist/libssl.cc @@ -161,6 +161,18 @@ int libssl_ticket_key_callback(SSL *s, OpenSSLTLSTicketKeysRing& keyring, unsign return 1; } +static long libssl_server_name_callback(SSL* ssl, int* al, void* arg) +{ + (void) al; + (void) arg; + + if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) { + return SSL_TLSEXT_ERR_OK; + } + + return SSL_TLSEXT_ERR_NOACK; +} + static void libssl_info_callback(const SSL *ssl, int where, int ret) { SSL_CTX* sslCtx = SSL_get_SSL_CTX(ssl); @@ -685,6 +697,11 @@ std::unique_ptr libssl_init_server_context(const TLS SSL_CTX_sess_set_cache_size(ctx.get(), config.d_maxStoredSessions); } + /* we need to set this callback to acknowledge the server name sent by the client, + otherwise it will not stored in the session and will not be accessible when the + session is resumed, causing SSL_get_servername to return nullptr */ + SSL_CTX_set_tlsext_servername_callback(ctx.get(), &libssl_server_name_callback); + std::vector keyTypes; /* load certificate and private key */ for (const auto& pair : config.d_certKeyPairs) {