lua-nginx-module icon indicating copy to clipboard operation
lua-nginx-module copied to clipboard
verified publisher icon openresty

Would like to support the ngx.ssl.clienthello get_client_hello_ext custom ext_type feature

Open lingliy opened this issue 1 year ago • 1 comments

  • A minimal and standalone test case that others can easily run on their side and reproduce the issue you are seeing.

for example

https client request, tls add custom extension field type 0x7172

gcc -o client client.c -lssl -lcrypto

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <arpa/inet.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define SERVER_PORT 6094
#define CUSTOM_EXTENSION_TYPE 0x7172
static const unsigned char custom_extension_data[] = "hello world";
int add_custom_extensions(SSL *ssl, unsigned int ext_type, const unsigned char **out, size_t *outlen, int *al, void *arg) {
        *out = custom_extension_data;
        *outlen = sizeof(custom_extension_data)-1;
        return 1; // Success
}
int main() {
    SSL_CTX *ctx;
    SSL *ssl;
    int sock;
    struct sockaddr_in server_addr;
    char buf[1024];
    SSL_library_init();
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();
    ctx = SSL_CTX_new(SSLv23_client_method());
    if (!ctx) {
        ERR_print_errors_fp(stderr);
        return 1;
    }
    int ret = SSL_CTX_add_client_custom_ext(ctx, CUSTOM_EXTENSION_TYPE, add_custom_extensions, NULL, NULL, NULL, NULL);
    if (ret == 0) {
        ERR_print_errors_fp(stderr);
        return 1;
    }
    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0) {
        perror("socket");
        SSL_CTX_free(ctx);
        return 1;
    }
    memset(&server_addr, 0, sizeof(server_addr));
    server_addr.sin_family = AF_INET;
    server_addr.sin_port = htons(SERVER_PORT);
    if (inet_pton(AF_INET, "127.0.0.1", &server_addr.sin_addr) <= 0) {
        perror("inet_pton");
        close(sock);
        SSL_CTX_free(ctx);
        return 1;
    }
    if (connect(sock, (struct sockaddr *)&server_addr, sizeof(server_addr)) < 0) {
        return 1;
    }
    ssl = SSL_new(ctx);
    if (!ssl) {
        return 1;
    }
    if (SSL_set_fd(ssl, sock) == 0) {
        return 1;
    }
    if (SSL_connect(ssl) <= 0) {
        return 1;
    }
    const char *msg = "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n";
    SSL_write(ssl, msg, strlen(msg));
    int len = SSL_read(ssl, buf, sizeof(buf) - 1);
    if (len > 0) {
        buf[len] = '\0';
        printf("Received: %s\n", buf);
    }
    SSL_shutdown(ssl);
    close(sock);
    SSL_free(ssl);
    SSL_CTX_free(ctx);
    return 0;
}

server config

server {
listen 6094 ssl;
    ssl_certificate      /usr/share/easy-rsa/pki/issued/192.168.216.129.crt;
    ssl_certificate_key  /usr/share/easy-rsa/pki/private/192.168.216.129.key;
    ssl_client_hello_by_lua_block {
        local ssl_clt = require "ngx.ssl.clienthello"
        local ext,err = ssl_clt.get_client_hello_ext(0x7172)
        if not ext then
            ngx.log(ngx.ERR, "failed to get_client_hello_ext(0): ", err)
            ngx.exit(ngx.ERROR)
        end 
    }   
    location / { 
    return 200 "hello 6094\n";
    }   
}

Expected

expected ssl_clt.get_client_hello_ext(0x7172) function return value ext is expected to have a value

Actual

ssl_clt.get_client_hello_ext(0x7172) function return value ext is null

Simple improvement methods

Just call the SSL_CTX_add_server_custom_ext function after the SSL_CTX_set_client_hello_cb function in the https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_module.c file example:

SSL_CTX_set_client_hello_cb(sscf->ssl.ctx,
                                      ngx_http_lua_ssl_client_hello_handler,
                                      NULL);
SSL_CTX_add_server_custom_ext(sscf->ssl.ctx, 0x7172, NULL, NULL, NULL, NULL, NULL);
  • The exact version of the related software, including but not limited to the OpenResty version
nginx version: openresty/1.21.4.2
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2) 
built with OpenSSL 1.1.1f  31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/data/chiansec/ztpSevenGW/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.34 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../rds-json-nginx-module-0.16 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.13 --with-ld-opt=-Wl,-rpath,/data/chiansec/ztpSevenGW/luajit/lib --with-http_stub_status_module --with-pcre --with-pcre-jit --with-stream --with-stream_ssl_preread_module --with-http_ssl_module --with-http_v2_module --with-ipv6 --with-stream --with-stream_ssl_module

lingliy avatar Sep 27 '24 02:09 lingliy

I encountered the same problem

limitcool avatar Jun 04 '25 07:06 limitcool