TLS: allow support for different protocols on different hosts (same m…

…achine) based on ingress

src/event/ngx_event_openssl.c

@@ -716,7 +716,6 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
             sk_X509_pop_free(chain, X509_free);
             return NGX_ERROR;
         }
-
     } else if (cert_tag == SSL_SIGN_CERT) {
         if (SSL_CTX_use_sign_certificate(ssl->ctx, x509) == 0) {
             ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
@@ -726,7 +725,6 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
             sk_X509_pop_free(chain, X509_free);
             return NGX_ERROR;
         }
-
     } else
 #endif
     if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) {
@@ -826,7 +824,6 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
             EVP_PKEY_free(pkey);
             return NGX_ERROR;
         }
-
     } else if (cert_tag == SSL_SIGN_CERT) {
         if (SSL_CTX_use_sign_PrivateKey(ssl->ctx, pkey) == 0) {
             ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
@@ -835,7 +832,6 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
             EVP_PKEY_free(pkey);
             return NGX_ERROR;
         }
-
     } else
 #endif
     if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
@@ -2286,6 +2282,28 @@ ngx_ssl_handshake(ngx_connection_t *c)
     }
 #endif
 
+#ifdef T_INGRESS_SHARED_MEMORY_PB
+if (0
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+            || sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB
+#endif
+   )
+    {
+        c->read->handler = ngx_ssl_handshake_handler;
+        c->write->handler = ngx_ssl_handshake_handler;
+
+        if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
+            return NGX_ERROR;
+        }
+
+        if (ngx_handle_write_event(c->write, 0) != NGX_OK) {
+            return NGX_ERROR;
+        }
+
+        return NGX_AGAIN;
+    }
+#endif
+
     err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0;
 
     c->ssl->no_wait_shutdown = 1;

src/event/ngx_event_openssl.h

@@ -129,6 +129,10 @@ struct ngx_ssl_connection_s {
     unsigned                    early_preread:1;
     unsigned                    write_blocked:1;
 
+#if defined(T_INGRESS_SHARED_MEMORY_PB) && OPENSSL_VERSION_NUMBER >= 0x10101000L
+    unsigned                    client_hello_retry:1;
+#endif
+
 #if (T_NGX_HAVE_DTLS)
     unsigned                    bio_changed:1;
     unsigned                    dtls_send:1;

src/http/modules/ngx_http_ssl_module.c

@@ -949,6 +949,11 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     cln->handler = ngx_ssl_cleanup_ctx;
     cln->data = &conf->ssl;
 
+#if defined(T_INGRESS_SHARED_MEMORY_PB) && OPENSSL_VERSION_NUMBER >= 0x10101000L
+    SSL_CTX_set_client_hello_cb(conf->ssl.ctx,
+                                ngx_http_ssl_client_hello_callback, NULL);
+#endif
+
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
 
     if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,

src/http/ngx_http.h

@@ -98,6 +98,9 @@ int ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
 int ngx_http_ssl_certificate(ngx_ssl_conn_t *ssl_conn, void *arg);
 #endif
 
+#if defined(T_INGRESS_SHARED_MEMORY_PB) && OPENSSL_VERSION_NUMBER >= 0x10101000L
+int ngx_http_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
+#endif
 
 ngx_int_t ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b);
 ngx_int_t ngx_http_parse_uri(ngx_http_request_t *r);