Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

about "strict sni". #7

Closed
NewBugger opened this Issue Oct 5, 2018 · 40 comments

Comments

Projects
None yet
4 participants
@NewBugger
Copy link

NewBugger commented Oct 5, 2018

in the patch , it contains this:

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c    2018-10-02 15:13:36.414143028 +0000
+++ b/src/event/ngx_event_openssl.c    2018-10-04 13:58:28.756873433 +0000
@@ -1456,6 +1456,13 @@ ngx_ssl_handshake(ngx_connection_t *c)

     c->read->error = 1;

+
+    if (sslerr == SSL_ERROR_SSL) {
+        ERR_peek_error();
+        ERR_clear_error();
+        return NGX_ERROR;
+    }
+
     ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");

return NGX_ERROR;

but in this commit :

Not compatible with ssl_early_data.

i use BoringSSL and ssl_early_data on; directive.

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 5, 2018

An error log appears in nginx/error.log.

If ssl_early_data is turned on in a browser that supports TLS 1.3, a related error will occur.

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 5, 2018

soga. thanks.

@NewBugger NewBugger closed this Oct 5, 2018

@hakasenyang hakasenyang added the question label Oct 6, 2018

JemmyLoveJenny referenced this issue in hakasenyang/nginx-build Oct 6, 2018

Revert "Update nginx strict sni patch."
This reverts commit 997e1bb.

Not compatible with ssl_early_data.
@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 6, 2018

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 6, 2018

ok, i'll try it.

@NewBugger NewBugger reopened this Oct 6, 2018

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 6, 2018

and i met a issue , i'll try this patch to check whether it can solve this.

@CarterLi

This comment has been minimized.

Copy link

CarterLi commented Oct 6, 2018

I got ERR_SSL_UNRECOGNIZED_NAME_ALERT when using nginx_1.15.4_strict-sni.patch with nginx 1.15.5

I got no such errors with the old nginx_strict-sni.patch

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 6, 2018

@CarterLi If you want to terminate a full connection, this patch is not correct.
It is normal for the error message to appear.

In OpenSSL Source : ssl/statem/extensions.c

    case SSL_TLSEXT_ERR_ALERT_FATAL:
        SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
        return 0;

SSLfatal called SSL_F_FINAL_SERVER_NAME.

static int final_server_name(SSL *s, unsigned int context, int sent)
{
    int ret = SSL_TLSEXT_ERR_NOACK;
    int altmp = SSL_AD_UNRECOGNIZED_NAME;
    int was_ticket = (SSL_get_options(s) & SSL_OP_NO_TICKET) == 0;

If you want a complete connection shutdown, use the old version of the patch.
Here is the source.

nginx

Same source.

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c	2018-09-15 10:02:36.520076032 +0000
+++ b/src/http/ngx_http_request.c	2018-09-15 10:26:32.826874950 +0000
@@ -882,7 +882,7 @@
     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
 
     if (servername == NULL) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     c = ngx_ssl_get_connection(ssl_conn);
@@ -897,7 +897,7 @@
     host.len = ngx_strlen(servername);
 
     if (host.len == 0) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 

     host.data = (u_char *) servername;
@@ -912,7 +912,7 @@
                                      NULL, &cscf)
         != NGX_OK)
     {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }
 
     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));

OpenSSL

diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 8422161dc1..75de3dd263 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -998,7 +998,10 @@ static int final_server_name(SSL *s, unsigned int context, int sent)

     switch (ret) {
     case SSL_TLSEXT_ERR_ALERT_FATAL:
-        SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
+        //SSLfatal(s, altmp, SSL_F_FINAL_SERVER_NAME, SSL_R_CALLBACK_FAILED);
+        s->statem.in_init = 1;
+        s->statem.state = MSG_FLOW_ERROR;
+        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_F_FINAL_RENEGOTIATE);
         return 0;

     case SSL_TLSEXT_ERR_ALERT_WARNING:
@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 7, 2018

@hakasenyang
i want a complete connection shutdown, so whether i not need this:

    if (sslerr == SSL_ERROR_SSL) {
        ERR_peek_error();
        ERR_clear_error();
        return NGX_ERROR;
    }

but the old version of patch has a problem at early data...

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 7, 2018

additionally, i made a change in this:

    if (sslerr == SSL_ERROR_SSL) {
        ERR_peek_error();
        ERR_clear_error();
        return NGX_ERROR;
    }

change it to :

    if (sslerr == SSL_ERROR_SSL) {
        ngx_ssl_clear_error(c->log);
        return NGX_ERROR;
    }
@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

@NewBugger I will test and change the source. :)
Thank you so much.

Does the patch I uploaded have the same error(early data)?

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 7, 2018

@hakasenyang
maybe due to i use BoringSSL rather than Openssl,
i use ssl_early_data on and there is no error log like early data.

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 7, 2018

there is the test result after #7 (comment) patched.

and seems Nginx has no err output.

@hakasenyang

This comment has been minimized.

@kn007

This comment has been minimized.

Copy link

kn007 commented Oct 7, 2018

@hakasenyang ???
No problem with this file?

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

@kn007 Clients receive ERR_SSL_UNRECOGNIZED_NAME_ALERT errors. (nginx can not handle it, perhaps.)
No messages appear in the error.log on the nginx server.

@kn007

This comment has been minimized.

Copy link

kn007 commented Oct 7, 2018

@hakasenyang I know...
But don't you need to judge servername?

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

Oops. My mistake. haha 😄
Thanks!

Re-uploaded.

hakasenyang added a commit that referenced this issue Oct 7, 2018

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 7, 2018

default

@kn007

This comment has been minimized.

Copy link

kn007 commented Oct 7, 2018

@NewBugger May fix on latest patch

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

It probably does not seem to be compatible with BoringSSL.
Fix the issue the same way as in previous versions.

diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 75129134..a41edeab 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1455,6 +1455,14 @@ ngx_ssl_handshake(ngx_connection_t *c)

     c->read->error = 1;

+#if (!defined SSL_R_CALLBACK_FAILED || !defined SSL_F_FINAL_SERVER_NAME)
+    if (sslerr == SSL_ERROR_SSL) {
+        ERR_peek_error();
+        ERR_clear_error();
+        return NGX_ERROR;
+    }
+#endif
+
     ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");

     return NGX_ERROR;
@@ -1568,6 +1576,14 @@ ngx_ssl_try_early_data(ngx_connection_t *c)

     c->read->error = 1;

+#if (!defined SSL_R_CALLBACK_FAILED || !defined SSL_F_FINAL_SERVER_NAME)
+    if (sslerr == SSL_ERROR_SSL) {
+        ERR_peek_error();
+        ERR_clear_error();
+        return NGX_ERROR;
+    }
+#endif
+
     ngx_ssl_connection_error(c, sslerr, err, "SSL_read_early_data() failed");

     return NGX_ERROR;
@@ -2547,6 +2563,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
     char *text)
 {
     int         n;
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+    int         f;
+#endif
     ngx_uint_t  level;

     level = NGX_LOG_CRIT;
@@ -2583,6 +2602,20 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,

         n = ERR_GET_REASON(ERR_peek_error());

+        /* Strict SNI Error Patch
+         * https://github.com/hakasenyang/openssl-patch/issues/1#issuecomment-427040319
+         */
+#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
+        if (n == SSL_R_CALLBACK_FAILED) {
+            f = ERR_GET_FUNC(ERR_peek_error());
+            if (f == SSL_F_FINAL_SERVER_NAME) {
+                ERR_peek_error();
+                ERR_clear_error();
+                return;
+            }
+        }
+#endif
+
             /* handshake failures */
         if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC                        /*  103 */
 #ifdef SSL_R_NO_SUITABLE_KEY_SHARE
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 7dd28b8c..5e5bbed1 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -849,7 +849,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);

     if (servername == NULL) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }

     c = ngx_ssl_get_connection(ssl_conn);
@@ -864,7 +864,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
     host.len = ngx_strlen(servername);

     if (host.len == 0) {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }

     host.data = (u_char *) servername;
@@ -879,7 +879,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
                                      NULL, &cscf)
         != NGX_OK)
     {
-        return SSL_TLSEXT_ERR_NOACK;
+        return SSL_TLSEXT_ERR_ALERT_FATAL;
     }

     hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 7, 2018

@hakasenyang
i don't know what's the purpose of adding this:

        ERR_peek_error();
        ERR_clear_error();
        return NGX_ERROR;
@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

@NewBugger If the SNI condition is not met, the following error occurs:

2018/09/15 12:12:08 [crit] 904#904: *3 SSL_do_handshake() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:8443
2018/09/15 12:12:08 [crit] 904#904: *6 SSL_do_handshake() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:8443
2018/09/15 12:12:09 [crit] 904#904: *9 SSL_do_handshake() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:8443
2018/09/15 12:12:09 [crit] 904#904: *12 SSL_do_handshake() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:8443
2018/09/15 12:12:14 [crit] 904#904: *15 SSL_do_handshake() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:8443
2018/09/15 12:12:14 [crit] 904#904: *18 SSL_do_handshake() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:8443
2018/09/15 12:12:45 [crit] 904#904: *22 SSL_do_handshake() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:8443
2018/09/15 12:12:45 [crit] 904#904: *24 SSL_do_handshake() failed (SSL: error:1422E0EA:SSL routines:final_server_name:callback failed) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:8443

#1 (comment)

        ERR_peek_error();
        ERR_clear_error();
        return NGX_ERROR;

This source is ignore this error.

ngx_ssl_clear_error is leave an error.

static void
ngx_ssl_clear_error(ngx_log_t *log)
{
    while (ERR_peek_error()) {
        ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error");
    }

    ERR_clear_error();
}
@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 7, 2018

@hakasenyang
but does this issue causes the website cannot access ?

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

@NewBugger It is not.
You do not need the source if you want the error log to come up normally.

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 7, 2018

@hakasenyang
aaa, soga.

@CarterLi

This comment has been minimized.

Copy link

CarterLi commented Oct 7, 2018

I still got ERR_SSL_UNRECOGNIZED_NAME_ALERT on Chrome with the latest patch. Could you please explain it more detail what it is and how to configure it? Thanks.

I also tried curl

$ curl -v 'https://test.eoitek.net/'
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to test.eoitek.net (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl/cert.pem
  CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, unrecognized name (624):
* error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 unrecognized name
* Closing connection 0
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 unrecognized name

And got nothing in error.log

nginx build param

$ nginx -V
nginx version: nginx/1.15.5
built by clang 10.0.0 (clang-1000.11.45.2)
built with OpenSSL 1.1.1  11 Sep 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/Cellar/nginx/1.15.5 --sbin-path=/usr/local/Cellar/nginx/1.15.5/bin/nginx --with-cc-opt='-I/usr/local/opt/pcre/include -I/usr/local/opt/openssl@1.1/include -I/usr/local/opt/zlib/include -I/usr/local/opt/jemalloc/include' --with-ld-opt='-L/usr/local/opt/pcre/lib -L/usr/local/opt/openssl@1.1/lib -L/usr/local/opt/zlib/lib -L/usr/local/opt/jemalloc/lib -ljemalloc' --conf-path=/usr/local/etc/nginx/nginx.conf --pid-path=/usr/local/var/run/nginx.pid --lock-path=/usr/local/var/run/nginx.lock --http-client-body-temp-path=/usr/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/usr/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/usr/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/usr/local/var/run/nginx/uwsgi_temp --http-scgi-temp-path=/usr/local/var/run/nginx/scgi_temp --http-log-path=/usr/local/var/log/nginx/access.log --error-log-path=/usr/local/var/log/nginx/error.log --with-debug --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-mail --with-http_v2_module --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --with-http_spdy_module --with-http_v2_hpack_enc

nginx.conf

server {
	listen 443 ssl spdy http2 fastopen=1 reuseport;
	server_name test.eoitek.net;
	ssl_certificate /Users/Carter/.acme.sh/*.eoitek.net_ecc/fullchain.cer;
	ssl_certificate_key /Users/Carter/.acme.sh/*.eoitek.net_ecc/*.eoitek.net.key;
	ssl_trusted_certificate /Users/Carter/.acme.sh/*.eoitek.net_ecc/ca.cer;
	large_client_header_buffers 4 16k;
	ssl_session_tickets on;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_stapling_file /Users/Carter/.acme.sh/*.eoitek.net_ecc/ocsp.resp;

	ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ARIA128:EECDH+CAMELLIA128:!3DES:!MD5;
  ssl_prefer_server_ciphers on;

  gzip_types text/plain application/javascript text/css image/svg+xml;
  gzip_proxied no-cache no-store private expired auth;

  gzip_static on;
  #brotli_static on;
  gunzip on;
  ssl_dyn_rec_enable on;

	http2_push_preload on;

	root /Users/Carter/newlook/dist;
  # location ...
}
@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

@CarterLi You need OpenSSL patch.

#7 (comment)

Read this.

@CarterLi

This comment has been minimized.

Copy link

CarterLi commented Oct 7, 2018

You need OpenSSL patch.

Well, but https://github.com/hakasenyang/openssl-patch#nginx-strict-sni-patch says nothing about openssl?

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

To make a simple patch, I have removed the description of the OpenSSL patch.

@CarterLi

This comment has been minimized.

Copy link

CarterLi commented Oct 7, 2018

Patch applied for openssl. Still doesn't work, curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to test.eoitek.net:443 in this case.

There is only one server on my computer. Does it matter?

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

Use this command.

openssl s_client -connect SERVER:PORT -servername abcd

You need at least two server settings. (server {listen 443; ~~~~})

@CarterLi

This comment has been minimized.

Copy link

CarterLi commented Oct 7, 2018

Use this command.

openssl s_client -connect SERVER:PORT -servername abcd

You need at least two server settings. (server {listen 443; ~~~~})

Yes, It works after I added a fake server. I do think we'd better explain it more detail in README.md in order not to confuse people.

Thanks for your help!

EDIT: providing an option to enable/disable it should be a better way

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 7, 2018

I will add comments to README.md and settings to enable/disable as instructed.

Thank you! 😄

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 8, 2018

feedback: Boringssl have no problem named https://github.com/hakasenyang/openssl-patch/issues/7#issuecomment-427650946.

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 8, 2018

@hakasenyang
you can kindly remove the Boringssl part in nginx_strict-sni.patch, it makes no sense.

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 8, 2018

Okay. I will update this. :)

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 8, 2018

for openssl, i guess it can changed like this:

static void ngx_ssl_clear_strictsni_error(ngx_log_t *log);

#if (defined SSL_R_CALLBACK_FAILED && defined SSL_F_FINAL_SERVER_NAME)
        if (n == SSL_R_CALLBACK_FAILED) {
            f = ERR_GET_FUNC(ERR_peek_error());
            if (f == SSL_F_FINAL_SERVER_NAME) {
                ngx_ssl_clear_strictsni_error(c->log);
                return;
            }
        }
#endif

static void
ngx_ssl_clear_strictsni_error(ngx_log_t *log)
{
    while (ERR_peek_error()) {
        ngx_ssl_error(NGX_LOG_DEBUG, log, 0, "ignoring ssl error at STRICT SNI block");
    }
    ERR_clear_error();
}

the advantage is it can genarate a output when sets to DEBUG log level.

@NewBugger

This comment has been minimized.

Copy link
Author

NewBugger commented Oct 9, 2018

@hakasenyang
em, what means strict_sni_header

@hakasenyang

This comment has been minimized.

Copy link
Owner

hakasenyang commented Oct 9, 2018

@NewBugger

root@hakase:~$ telnet google.com 443
Trying 216.58.197.174...
Connected to google.com.
Escape character is '^]'.
DD
Connection closed by foreign host.
root@hakase:~$ telnet hakase.io 443
Trying 218.148.166.10...
Connected to hakase.io.
Escape character is '^]'.
DD
HTTP/1.1 403 Forbidden
Date: Tue, 09 Oct 2018 16:05:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 166
Connection: close
Vary: Accept-Encoding
ETag: "5ba5f304-a6"

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<center>Sorry, direct IP access not allowed.</center>
</body>
</html>
Connection closed by foreign host.

Google forcibly disconnects for invalid headers.
nginx also responds to invalid headers.

strict_sni_header is option to force the connection to end without responding to the invalid header.

strict_sni_header on; result:

root@hakase:~$ telnet hakase.io 443
Trying 218.148.166.10...
Connected to hakase.io.
Escape character is '^]'.
DD
Connection closed by foreign host.

@NewBugger NewBugger closed this Oct 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.