Mercurial > hg > nginx-site

comparison xml/en/docs/http/ngx_http_ssl_module.xml @ 2234:20a189bdb15f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Updated SSL early data documentation.
author Yaroslav Zhuravlev <yar@nginx.com>
date Tue, 04 Sep 2018 19:41:41 +0300
parents f1e12641fc8a
children 0761b770a94e
comparison
equal deleted inserted replaced
2233:8f988cbe1296 2234:20a189bdb15f
8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> 8 <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
9 9
10 <module name="Module ngx_http_ssl_module" 10 <module name="Module ngx_http_ssl_module"
11 link="/en/docs/http/ngx_http_ssl_module.html" 11 link="/en/docs/http/ngx_http_ssl_module.html"
12 lang="en" 12 lang="en"
13 rev="40"> 13 rev="41">
14 14
15 <section id="summary"> 15 <section id="summary">
16 16
17 <para> 17 <para>
18 The <literal>ngx_http_ssl_module</literal> module provides the 18 The <literal>ngx_http_ssl_module</literal> module provides the
298 <para> 298 <para>
299 Enables or disables TLS 1.3 299 Enables or disables TLS 1.3
300 <link url="https://tools.ietf.org/html/rfc8446#section-2.3">early data</link>. 300 <link url="https://tools.ietf.org/html/rfc8446#section-2.3">early data</link>.
301 <note> 301 <note>
302 Requests sent within early data are subject to 302 Requests sent within early data are subject to
303 <link id="var_ssl_early_data">replay attacks</link>. 303 <link url="https://tools.ietf.org/html/draft-ietf-httpbis-replay-04">replay attacks</link>.
304 To protect against such attacks at the application layer,
305 the <link id="var_ssl_early_data">$ssl_early_data</link> variable
306 should be used.
307 </note>
308
309 <example>
310 proxy_set_header Early-Data $ssl_early_data;
311 </example>
312
313 <note>
314 The directive is supported only when using the
315 <link url="https://boringssl.googlesource.com/boringssl/">BoringSSL</link>
316 library.
304 </note> 317 </note>
305 </para> 318 </para>
306 319
307 </directive> 320 </directive>
308 321
899 </tag-desc> 912 </tag-desc>
900 913
901 <tag-name id="var_ssl_early_data"><var>$ssl_early_data</var></tag-name> 914 <tag-name id="var_ssl_early_data"><var>$ssl_early_data</var></tag-name>
902 <tag-desc> 915 <tag-desc>
903 returns “<literal>1</literal>” if 916 returns “<literal>1</literal>” if
904 TLS 1.3 early data is <link id="ssl_early_data">used</link> 917 TLS 1.3 <link id="ssl_early_data">early data</link> is used
905 and the handshake is not complete, otherwise “” (1.15.3). 918 and the handshake is not complete, otherwise “” (1.15.3).
906 The variable is used to protect against 919 <note>
907 <link url="https://tools.ietf.org/html/draft-ietf-httpbis-replay-04">replay attacks</link> 920 The variable is supported only when using the
908 at the application layer: 921 <link url="https://boringssl.googlesource.com/boringssl/">BoringSSL</link>
909 <example> 922 library.
910 proxy_set_header Early-Data $ssl_early_data; 923 </note>
911 </example>
912 </tag-desc> 924 </tag-desc>
913 925
914 <tag-name id="var_ssl_protocol"><var>$ssl_protocol</var></tag-name> 926 <tag-name id="var_ssl_protocol"><var>$ssl_protocol</var></tag-name>
915 <tag-desc> 927 <tag-desc>
916 returns the protocol of an established SSL connection; 928 returns the protocol of an established SSL connection;