Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 7937:db6b630e6086
HTTP: connections with wrong ALPN protocols are now rejected.
This is a recommended behavior by RFC 7301 and is useful
for mitigation of protocol confusion attacks [1].
To avoid possible negative effects, list of supported protocols
was extended to include all possible HTTP protocol ALPN IDs
registered by IANA [2], i.e. "http/1.0" and "http/0.9".
[1] https://alpaca-attack.com/
[2] https://www.iana.org/assignments/tls-extensiontype-values/
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 20 Oct 2021 09:50:02 +0300 |
parents | eb6c77e6d55d |
children | 3443c02ca1d1 61d0fa67b55e |
comparison
equal
deleted
inserted
replaced
7936:b9e02e9b2f1d | 7937:db6b630e6086 |
---|---|
15 | 15 |
16 | 16 |
17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
18 #define NGX_DEFAULT_ECDH_CURVE "auto" | 18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
19 | 19 |
20 #define NGX_HTTP_ALPN_PROTO "\x08http/1.1" | 20 #define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9" |
21 | 21 |
22 | 22 |
23 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | 23 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
24 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, | 24 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, |
25 const unsigned char **out, unsigned char *outlen, | 25 const unsigned char **out, unsigned char *outlen, |
440 | 440 |
441 #if (NGX_HTTP_V2) | 441 #if (NGX_HTTP_V2) |
442 hc = c->data; | 442 hc = c->data; |
443 | 443 |
444 if (hc->addr_conf->http2) { | 444 if (hc->addr_conf->http2) { |
445 srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO; | 445 srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS; |
446 srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO) - 1; | 446 srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1; |
447 | |
448 } else | 447 } else |
449 #endif | 448 #endif |
450 { | 449 { |
451 srv = (unsigned char *) NGX_HTTP_ALPN_PROTO; | 450 srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS; |
452 srvlen = sizeof(NGX_HTTP_ALPN_PROTO) - 1; | 451 srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1; |
453 } | 452 } |
454 | 453 |
455 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, | 454 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, |
456 in, inlen) | 455 in, inlen) |
457 != OPENSSL_NPN_NEGOTIATED) | 456 != OPENSSL_NPN_NEGOTIATED) |
458 { | 457 { |
459 return SSL_TLSEXT_ERR_NOACK; | 458 return SSL_TLSEXT_ERR_ALERT_FATAL; |
460 } | 459 } |
461 | 460 |
462 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, | 461 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, |
463 "SSL ALPN selected: %*s", (size_t) *outlen, *out); | 462 "SSL ALPN selected: %*s", (size_t) *outlen, *out); |
464 | 463 |