BUG/MINOR: acl: req_ssl_sni would randomly fail if a session ID is present

The wrong byte was checked for the session_id length in the payload. This used to work when the session ID was absent because zero was found there, but when a session ID is present, there is 1/256 chance that the inspected data contains 0x20 (the actual session ID length), so it fails. Thanks to Emmanuel B�zagu for reporting this bug. This bug does not need backporting, it is 1.5 specific.
2025-08-10 00:57:02 +02:00 · 2012-04-09 09:24:11 +02:00 · 2012-04-09 09:24:11 +02:00 · d017f113c0
commit d017f113c0
parent dc4d903640
1 changed files with 2 additions and 2 deletions
--- a/src/acl.c
+++ b/src/acl.c
@ -290,7 +290,7 @@ acl_fetch_req_ssl_ver(struct proxy *px, struct session *l4, void *l7, int dir,
 *     - uint24 length                                 (handshake message length)
 *     - ClientHello :
 *       - uint16 client_version             >= 0x0301 (TLSv1)
- *       - uint8 Random[32]
+ *       - uint8 Random[32]                  (4 first ones are timestamp)
 *       - SessionID :
 *         - uint8 session_id_len (0..32)              (SessionID len in bytes)
 *         - uint8 session_id[session_id_len]
@ -370,7 +370,7 @@ acl_fetch_ssl_hello_sni(struct proxy *px, struct session *l4, void *l7, int dir,
 	if (data[0] < 0x03 || data[1] < 0x01) /* TLSv1 minimum */
 		goto not_ssl_hello;

-	ext_len = data[35];
+	ext_len = data[34]; /* session_id_len */
 	if (ext_len > 32 || ext_len > (hs_len - 35)) /* check for correct session_id len */
 		goto not_ssl_hello;