Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Would like to support the ngx.ssl.clienthello get_client_hello_ext custom ext_type feature #2366

Open
lingliy opened this issue Sep 27, 2024 · 0 comments
Open

Would like to support the ngx.ssl.clienthello get_client_hello_ext custom ext_type feature #2366

lingliy opened this issue Sep 27, 2024 · 0 comments

Comments

@lingliy
Copy link

lingliy commented Sep 27, 2024
edited
Loading

  • A minimal and standalone test case that others can easily run on their side and
    reproduce the issue you are seeing.

for example

https client request, tls add custom extension field type 0x7172

gcc -o client client.c -lssl -lcrypto

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define SERVER_PORT 6094
#define CUSTOM_EXTENSION_TYPE 0x7172
static const unsigned char custom_extension_data[] = "hello world";
int add_custom_extensions(SSL *ssl, unsigned int ext_type, const unsigned char **out, size_t *outlen, int *al, void *arg) {
        *out = custom_extension_data;
        *outlen = sizeof(custom_extension_data)-1;
        return 1; // Success
}
int main() {
    SSL_CTX *ctx;
    SSL *ssl;
    int sock;
    struct sockaddr_in server_addr;
    char buf[1024];
    SSL_library_init();
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();
    ctx = SSL_CTX_new(SSLv23_client_method());
    if (!ctx) {
        ERR_print_errors_fp(stderr);
        return 1;
    }
    int ret = SSL_CTX_add_client_custom_ext(ctx, CUSTOM_EXTENSION_TYPE, add_custom_extensions, NULL, NULL, NULL, NULL);
    if (ret == 0) {
        ERR_print_errors_fp(stderr);
        return 1;
    }
    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0) {
        perror("socket");
        SSL_CTX_free(ctx);
        return 1;
    }
    memset(&server_addr, 0, sizeof(server_addr));
    server_addr.sin_family = AF_INET;
    server_addr.sin_port = htons(SERVER_PORT);
    if (inet_pton(AF_INET, "127.0.0.1", &server_addr.sin_addr) <= 0) {
        perror("inet_pton");
        close(sock);
        SSL_CTX_free(ctx);
        return 1;
    }
    if (connect(sock, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) {
        return 1;
    }
    ssl = SSL_new(ctx);
    if (!ssl) {
        return 1;
    }
    if (SSL_set_fd(ssl, sock) == 0) {
        return 1;
    }
    if (SSL_connect(ssl) <= 0) {
        return 1;
    }
    const char *msg = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n";
    SSL_write(ssl, msg, strlen(msg));
    int len = SSL_read(ssl, buf, sizeof(buf) - 1);
    if (len > 0) {
        buf[len] = '\0';
        printf("Received: %s\n", buf);
    }
    SSL_shutdown(ssl);
    close(sock);
    SSL_free(ssl);
    SSL_CTX_free(ctx);
    return 0;
}

server config

server {
listen 6094 ssl;
    ssl_certificate      /usr/share/easy-rsa/pki/issued/192.168.216.129.crt;
    ssl_certificate_key  /usr/share/easy-rsa/pki/private/192.168.216.129.key;
    ssl_client_hello_by_lua_block {
        local ssl_clt = require "ngx.ssl.clienthello"
        local ext,err = ssl_clt.get_client_hello_ext(0x7172)
        if not ext then
            ngx.log(ngx.ERR, "failed to get_client_hello_ext(0): ", err)
            ngx.exit(ngx.ERROR)
        end 
    }   
    location / { 
    return 200 "hello 6094\n";
    }   
}

Expected

expected ssl_clt.get_client_hello_ext(0x7172) function return value ext is expected to have a value

Actual

ssl_clt.get_client_hello_ext(0x7172) function return value ext is null

Simple improvement methods

Just call the SSL_CTX_add_server_custom_ext function after the SSL_CTX_set_client_hello_cb function in the https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_module.c file
example:

SSL_CTX_set_client_hello_cb(sscf->ssl.ctx,
                                      ngx_http_lua_ssl_client_hello_handler,
                                      NULL);
SSL_CTX_add_server_custom_ext(sscf->ssl.ctx, 0x7172, NULL, NULL, NULL, NULL, NULL);
  • The exact version of the related software, including but not limited to the OpenResty version
nginx version: openresty/1.21.4.2
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2) 
built with OpenSSL 1.1.1f  31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/data/chiansec/ztpSevenGW/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../rds-json-nginx-module-0.16 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.13 --with-ld-opt=-Wl,-rpath,/data/chiansec/ztpSevenGW/luajit/lib --with-http_stub_status_module --with-pcre --with-pcre-jit --with-stream --with-stream_ssl_preread_module --with-http_ssl_module --with-http_v2_module --with-ipv6 --with-stream --with-stream_ssl_module
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lingliy