Mercurial > hg > nginx-site
comparison xml/en/docs/http/ngx_http_ssl_module.xml @ 2234:20a189bdb15f
Updated SSL early data documentation.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Tue, 04 Sep 2018 19:41:41 +0300 |
parents | f1e12641fc8a |
children | 0761b770a94e |
comparison
equal
deleted
inserted
replaced
2233:8f988cbe1296 | 2234:20a189bdb15f |
---|---|
8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> | 8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> |
9 | 9 |
10 <module name="Module ngx_http_ssl_module" | 10 <module name="Module ngx_http_ssl_module" |
11 link="/en/docs/http/ngx_http_ssl_module.html" | 11 link="/en/docs/http/ngx_http_ssl_module.html" |
12 lang="en" | 12 lang="en" |
13 rev="40"> | 13 rev="41"> |
14 | 14 |
15 <section id="summary"> | 15 <section id="summary"> |
16 | 16 |
17 <para> | 17 <para> |
18 The <literal>ngx_http_ssl_module</literal> module provides the | 18 The <literal>ngx_http_ssl_module</literal> module provides the |
298 <para> | 298 <para> |
299 Enables or disables TLS 1.3 | 299 Enables or disables TLS 1.3 |
300 <link url="https://tools.ietf.org/html/rfc8446#section-2.3">early data</link>. | 300 <link url="https://tools.ietf.org/html/rfc8446#section-2.3">early data</link>. |
301 <note> | 301 <note> |
302 Requests sent within early data are subject to | 302 Requests sent within early data are subject to |
303 <link id="var_ssl_early_data">replay attacks</link>. | 303 <link url="https://tools.ietf.org/html/draft-ietf-httpbis-replay-04">replay attacks</link>. |
304 To protect against such attacks at the application layer, | |
305 the <link id="var_ssl_early_data">$ssl_early_data</link> variable | |
306 should be used. | |
307 </note> | |
308 | |
309 <example> | |
310 proxy_set_header Early-Data $ssl_early_data; | |
311 </example> | |
312 | |
313 <note> | |
314 The directive is supported only when using the | |
315 <link url="https://boringssl.googlesource.com/boringssl/">BoringSSL</link> | |
316 library. | |
304 </note> | 317 </note> |
305 </para> | 318 </para> |
306 | 319 |
307 </directive> | 320 </directive> |
308 | 321 |
899 </tag-desc> | 912 </tag-desc> |
900 | 913 |
901 <tag-name id="var_ssl_early_data"><var>$ssl_early_data</var></tag-name> | 914 <tag-name id="var_ssl_early_data"><var>$ssl_early_data</var></tag-name> |
902 <tag-desc> | 915 <tag-desc> |
903 returns “<literal>1</literal>” if | 916 returns “<literal>1</literal>” if |
904 TLS 1.3 early data is <link id="ssl_early_data">used</link> | 917 TLS 1.3 <link id="ssl_early_data">early data</link> is used |
905 and the handshake is not complete, otherwise “” (1.15.3). | 918 and the handshake is not complete, otherwise “” (1.15.3). |
906 The variable is used to protect against | 919 <note> |
907 <link url="https://tools.ietf.org/html/draft-ietf-httpbis-replay-04">replay attacks</link> | 920 The variable is supported only when using the |
908 at the application layer: | 921 <link url="https://boringssl.googlesource.com/boringssl/">BoringSSL</link> |
909 <example> | 922 library. |
910 proxy_set_header Early-Data $ssl_early_data; | 923 </note> |
911 </example> | |
912 </tag-desc> | 924 </tag-desc> |
913 | 925 |
914 <tag-name id="var_ssl_protocol"><var>$ssl_protocol</var></tag-name> | 926 <tag-name id="var_ssl_protocol"><var>$ssl_protocol</var></tag-name> |
915 <tag-desc> | 927 <tag-desc> |
916 returns the protocol of an established SSL connection; | 928 returns the protocol of an established SSL connection; |