nic-6443 commented on code in PR #12366:
URL: https://github.com/apache/apisix/pull/12366#discussion_r2162918558
##########
apisix/init.lua:
##########
@@ -391,6 +400,17 @@ local function verify_https_client(ctx)
", but the host is ", host)
return false
end
+
+ local session_hostname, err = apisix_ssl.session_hostname()
+ if err then
+ core.log.error("failed to get session hostname: ", err)
+ return false
+ end
+ if session_hostname and session_hostname ~= ngx.ctx.client_hello_sni
then
+ core.log.error("sni in client hello mismatch hostname of ssl
session, ",
+ "sni: ", ngx.ctx.client_hello_sni, ", hostname:
", session_hostname)
+ return false
+ end
Review Comment:
> Maybe they could be moved to a new function with some comments explaining
why this verification is done "to fix a security issue".
done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
