This is an automated email from the ASF dual-hosted git repository. spacewander pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push: new 370beda feat: improve the error msg when client doesn't send SNI (#3053) 370beda is described below commit 370beda74d26e8df307c7b15284ba0fe2b083324 Author: 罗泽轩 <spacewander...@gmail.com> AuthorDate: Wed Dec 16 08:56:30 2020 +0800 feat: improve the error msg when client doesn't send SNI (#3053) --- apisix/ssl/router/radixtree_sni.lua | 5 ++++- t/router/radixtree-sni.t | 40 +++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua index 6bf7519..be96c01 100644 --- a/apisix/ssl/router/radixtree_sni.lua +++ b/apisix/ssl/router/radixtree_sni.lua @@ -208,7 +208,10 @@ function _M.match_and_set(api_ctx) local sni sni, err = ngx_ssl.server_name() if type(sni) ~= "string" then - return false, "failed to fetch SSL certificate: " .. (err or "not found") + local advise = "please check if the client requests via IP or uses an outdated protocol" .. + ". If you need to report an issue, " .. + "provide a packet capture file of the TLS handshake." + return false, "failed to find SNI: " .. (err or advise) end core.log.debug("sni: ", sni) diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t index 6715171..b2c5f60 100644 --- a/t/router/radixtree-sni.t +++ b/t/router/radixtree-sni.t @@ -1333,3 +1333,43 @@ connected: 1 failed to do SSL handshake: handshake failed --- error_log base64 decode ssl key failed and skipped. + + + +=== TEST 30: client request without sni +--- config +listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + +location /t { + content_by_lua_block { + -- etcd sync + ngx.sleep(0.2) + + do + local sock = ngx.socket.tcp() + + sock:settimeout(2000) + + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + + local sess, err = sock:sslhandshake(nil, nil, true) + if not sess then + ngx.say("failed to do SSL handshake: ", err) + return + end + end -- do + -- collectgarbage() + } +} +--- request +GET /t +--- response_body +failed to do SSL handshake: handshake failed +--- error_log +failed to fetch ssl config: failed to find SNI: please check if the client requests via IP or uses an outdated protocol +--- no_error_log +[alert]