CERBERUS/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-05-13 09:36:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
nginx/src
History
Sergey Kandaurov 13935cf9fd SNI: added restriction for TLSv1.3 cross-SNI session resumption. 
In OpenSSL, session resumption always happens in the default SSL context,
prior to invoking the SNI callback.  Further, unlike in TLSv1.2 and older
protocols, SSL_get_servername() returns values received in the resumption
handshake, which may be different from the value in the initial handshake.
Notably, this makes the restriction added in b720f650b insufficient for
sessions resumed with different SNI server name.

Considering the example from b720f650b, previously, a client was able to
request example.org by presenting a certificate for example.org, then to
resume and request example.com.

The fix is to reject handshakes resumed with a different server name, if
verification of client certificates is enabled in a corresponding server
configuration.
2025-02-05 20:40:47 +04:00
..
core Version bump. 2025-02-05 20:40:47 +04:00
event QUIC: added missing casts in iov_base assignments. 2025-02-05 20:40:47 +04:00
http SNI: added restriction for TLSv1.3 cross-SNI session resumption. 2025-02-05 20:40:47 +04:00
mail Overhauled some diagnostic messages akin to 1b05b9bbcebf. 2024-03-22 14:51:14 +04:00
misc
os Detect cache line size at runtime on macOS. 2024-02-26 20:00:40 +00:00
stream SNI: added restriction for TLSv1.3 cross-SNI session resumption. 2025-02-05 20:40:47 +04:00