Hello! On Tue, Sep 09, 2025 at 02:31:42PM +0300, Maxim Dounin wrote:
> # HG changeset patch > # User Maxim Dounin <[email protected]> > # Date 1757416233 -10800 > # Tue Sep 09 14:10:33 2025 +0300 > # Node ID 223d802d990cf5b32517fca34da299b243f37086 > # Parent c28c012ef2a0448356ed0d8428bb373555689c8c > SSL: $ssl_encrypted_hello variable. > > diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c > --- a/src/event/ngx_event_openssl.c > +++ b/src/event/ngx_event_openssl.c > @@ -5835,6 +5835,48 @@ ngx_ssl_get_early_data(ngx_connection_t > > > ngx_int_t > +ngx_ssl_get_encrypted_hello(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t > *s) > +{ > + s->len = 0; > + > +#ifdef OSSL_ECH_FOR_RETRY > + { > + char *outer, *inner; > + > + /* OpenSSL */ > + > + outer = NULL; > + inner = NULL; > + > + if (SSL_ech_get1_status(c->ssl->connection, &outer, &inner) > + == SSL_ECH_STATUS_SUCCESS) > + { > + ngx_str_set(s, "1"); > + } > + > + if (outer) { > + OPENSSL_free(outer); > + } > + > + if (inner) { > + OPENSSL_free(inner); > + } > + } With upcoming fixes to client certificate verification in OpenSSL ECH branch (https://github.com/openssl/openssl/pull/28555), this is adjusted as follows: diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -5841,6 +5841,7 @@ ngx_ssl_get_encrypted_hello(ngx_connecti #ifdef OSSL_ECH_FOR_RETRY { + int status; char *outer, *inner; /* OpenSSL */ @@ -5848,8 +5849,10 @@ ngx_ssl_get_encrypted_hello(ngx_connecti outer = NULL; inner = NULL; - if (SSL_ech_get1_status(c->ssl->connection, &outer, &inner) - == SSL_ECH_STATUS_SUCCESS) + status = SSL_ech_get1_status(c->ssl->connection, &outer, &inner); + + if (status == SSL_ECH_STATUS_SUCCESS + || status == SSL_ECH_STATUS_BAD_NAME) { ngx_str_set(s, "1"); } [...] -- Maxim Dounin http://mdounin.ru/
