BUG/MINOR: acl: req_ssl_sni would randomly fail if a session ID is present The wrong byte was checked for the session_id length in the payload. This used to work when the session ID was absent because zero was found there, but when a session ID is present, there is 1/256 chance that the inspected data contains 0x20 (the actual session ID length), so it fails. Thanks to Emmanuel Bézagu for reporting this bug. This bug does not need backporting, it is 1.5 specific.

commit: d017f113c0db0f99227a96e825d244c6e1e322ac [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Mon Apr 09 09:24:11 2012 +0200
committer: Willy Tarreau <w@1wt.eu> Mon Apr 09 09:24:11 2012 +0200
tree: fff52539f54bce22e2a73465a3d296ce3c1a1597
parent: dc4d9036406611211816e2761beeaece697f650f [diff]
diff --git a/src/acl.c b/src/acl.c
index 6d4eed3..4630743 100644
--- a/src/acl.c
+++ b/src/acl.c

@@ -290,7 +290,7 @@
  *     - uint24 length                                 (handshake message length)
  *     - ClientHello :
  *       - uint16 client_version             >= 0x0301 (TLSv1)
- *       - uint8 Random[32]
+ *       - uint8 Random[32]                  (4 first ones are timestamp)
  *       - SessionID :
  *         - uint8 session_id_len (0..32)              (SessionID len in bytes)
  *         - uint8 session_id[session_id_len]
@@ -370,7 +370,7 @@
 	if (data[0] < 0x03 || data[1] < 0x01) /* TLSv1 minimum */
 		goto not_ssl_hello;
 
-	ext_len = data[35];
+	ext_len = data[34]; /* session_id_len */
 	if (ext_len > 32 || ext_len > (hs_len - 35)) /* check for correct session_id len */
 		goto not_ssl_hello;
commit	d017f113c0db0f99227a96e825d244c6e1e322ac	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Mon Apr 09 09:24:11 2012 +0200
committer	Willy Tarreau <w@1wt.eu>	Mon Apr 09 09:24:11 2012 +0200
tree	fff52539f54bce22e2a73465a3d296ce3c1a1597
parent	dc4d9036406611211816e2761beeaece697f650f [diff]