nic-6443 commented on code in PR #12366:
URL: https://github.com/apache/apisix/pull/12366#discussion_r2162905018
##########
apisix/init.lua:
##########
@@ -391,6 +400,17 @@ local function verify_https_client(ctx)
", but the host is ", host)
return false
end
+
+ local session_hostname, err = apisix_ssl.session_hostname()
+ if err then
+ core.log.error("failed to get session hostname: ", err)
+ return false
+ end
+ if session_hostname and session_hostname ~= ngx.ctx.client_hello_sni
then
+ core.log.error("sni in client hello mismatch hostname of ssl
session, ",
+ "sni: ", ngx.ctx.client_hello_sni, ", hostname:
", session_hostname)
+ return false
+ end
Review Comment:
The HTTP subsystem also has matching verification for the HTTP host and SNI,
so the verification logic of these two subsystems is not exactly the same and
cannot be fully reused.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
