[apisix] branch master updated: feat: improve the error msg when client doesn't send SNI (#3053)

Tue, 15 Dec 2020 16:56:48 -0800 

This is an automated email from the ASF dual-hosted git repository.

spacewander pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git


The following commit(s) were added to refs/heads/master by this push:
     new 370beda  feat: improve the error msg when client doesn't send SNI 
(#3053)
370beda is described below

commit 370beda74d26e8df307c7b15284ba0fe2b083324
Author: 罗泽轩 <spacewander...@gmail.com>
AuthorDate: Wed Dec 16 08:56:30 2020 +0800

    feat: improve the error msg when client doesn't send SNI (#3053)
---
 apisix/ssl/router/radixtree_sni.lua |  5 ++++-
 t/router/radixtree-sni.t            | 40 +++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/apisix/ssl/router/radixtree_sni.lua 
b/apisix/ssl/router/radixtree_sni.lua
index 6bf7519..be96c01 100644
--- a/apisix/ssl/router/radixtree_sni.lua
+++ b/apisix/ssl/router/radixtree_sni.lua
@@ -208,7 +208,10 @@ function _M.match_and_set(api_ctx)
     local sni
     sni, err = ngx_ssl.server_name()
     if type(sni) ~= "string" then
-        return false, "failed to fetch SSL certificate: " .. (err or "not 
found")
+        local advise = "please check if the client requests via IP or uses an 
outdated protocol" ..
+                       ". If you need to report an issue, " ..
+                       "provide a packet capture file of the TLS handshake."
+        return false, "failed to find SNI: " .. (err or advise)
     end
 
     core.log.debug("sni: ", sni)
diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t
index 6715171..b2c5f60 100644
--- a/t/router/radixtree-sni.t
+++ b/t/router/radixtree-sni.t
@@ -1333,3 +1333,43 @@ connected: 1
 failed to do SSL handshake: handshake failed
 --- error_log
 base64 decode ssl key failed and skipped.
+
+
+
+=== TEST 30: client request without sni
+--- config
+listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+
+location /t {
+    content_by_lua_block {
+        -- etcd sync
+        ngx.sleep(0.2)
+
+        do
+            local sock = ngx.socket.tcp()
+
+            sock:settimeout(2000)
+
+            local ok, err = 
sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            local sess, err = sock:sslhandshake(nil, nil, true)
+            if not sess then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+        end  -- do
+        -- collectgarbage()
+    }
+}
+--- request
+GET /t
+--- response_body
+failed to do SSL handshake: handshake failed
+--- error_log
+failed to fetch ssl config: failed to find SNI: please check if the client 
requests via IP or uses an outdated protocol
+--- no_error_log
+[alert]

Reply via email to