Mercurial > hg > nginx
diff src/event/quic/ngx_event_quic_ssl.c @ 8895:4b2d259bdadd quic
QUIC: connections with wrong ALPN protocols are now rejected.
Previously, it was not enforced in the stream module.
Now, since b9e02e9b2f1d it is possible to specify protocols.
Since ALPN is always required, the 'require_alpn' setting is now obsolete.
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Wed, 03 Nov 2021 13:36:21 +0300 |
parents | 61b038fb59c6 |
children | ff473a6f656c |
line wrap: on
line diff
--- a/src/event/quic/ngx_event_quic_ssl.c +++ b/src/event/quic/ngx_event_quic_ssl.c @@ -175,6 +175,10 @@ ngx_quic_add_handshake_data(ngx_ssl_conn ngx_connection_t *c; ngx_quic_send_ctx_t *ctx; ngx_quic_connection_t *qc; +#if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) + unsigned int alpn_len; + const unsigned char *alpn_data; +#endif c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); qc = ngx_quic_get_connection(c); @@ -190,21 +194,18 @@ ngx_quic_add_handshake_data(ngx_ssl_conn */ #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) - if (qc->conf->require_alpn) { - unsigned int len; - const unsigned char *data; - SSL_get0_alpn_selected(ssl_conn, &data, &len); + SSL_get0_alpn_selected(ssl_conn, &alpn_data, &alpn_len); - if (len == 0) { - qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; - qc->error_reason = "unsupported protocol in ALPN extension"; + if (alpn_len == 0) { + qc->error = 0x100 + SSL_AD_NO_APPLICATION_PROTOCOL; + qc->error_reason = "unsupported protocol in ALPN extension"; - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "quic unsupported protocol in ALPN extension"); - return 0; - } - } + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "quic unsupported protocol in ALPN extension"); + return 0; + } + #endif SSL_get_peer_quic_transport_params(ssl_conn, &client_params,