From 767a9d3a727a4a3b4073f01fab4b2c1d7c55d73e Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Thu, 7 Jan 2021 16:41:32 +0100 Subject: [PATCH] dnsdist: Fix SNI on resumed sessions by acknowledging the name sent by the client Otherwise `SSL_get_servername()` only returns true when the session has been freshly established, and will return `nullptr` when it is resumed. --- pdns/dnsdistdist/libssl.cc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pdns/dnsdistdist/libssl.cc b/pdns/dnsdistdist/libssl.cc index 26647cddc5..deffcdbf49 100644 --- a/pdns/dnsdistdist/libssl.cc +++ b/pdns/dnsdistdist/libssl.cc @@ -161,6 +161,18 @@ int libssl_ticket_key_callback(SSL *s, OpenSSLTLSTicketKeysRing& keyring, unsign return 1; } +static long libssl_server_name_callback(SSL* ssl, int* al, void* arg) +{ + (void) al; + (void) arg; + + if (SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) { + return SSL_TLSEXT_ERR_OK; + } + + return SSL_TLSEXT_ERR_NOACK; +} + static void libssl_info_callback(const SSL *ssl, int where, int ret) { SSL_CTX* sslCtx = SSL_get_SSL_CTX(ssl); @@ -685,6 +697,11 @@ std::unique_ptr libssl_init_server_context(const TLS SSL_CTX_sess_set_cache_size(ctx.get(), config.d_maxStoredSessions); } + /* we need to set this callback to acknowledge the server name sent by the client, + otherwise it will not stored in the session and will not be accessible when the + session is resumed, causing SSL_get_servername to return nullptr */ + SSL_CTX_set_tlsext_servername_callback(ctx.get(), &libssl_server_name_callback); + std::vector keyTypes; /* load certificate and private key */ for (const auto& pair : config.d_certKeyPairs) { -- 2.47.2