Mercurial > hg > nginx-quic
annotate src/mail/ngx_mail_ssl_module.h @ 6749:f88a145b093e stable-1.10
HTTP/2: the "421 Misdirected Request" response (closes #848).
Since 4fbef397c753 nginx rejects with the 400 error any attempts of
requesting different host over the same connection, if the relevant
virtual server requires verification of a client certificate.
While requesting hosts other than negotiated isn't something legal
in HTTP/1.x, the HTTP/2 specification explicitly permits such requests
for connection reuse and has introduced a special response code 421.
According to RFC 7540 Section 9.1.2 this code can be sent by a server
that is not configured to produce responses for the combination of
scheme and authority that are included in the request URI. And the
client may retry the request over a different connection.
Now this code is used for requests that aren't authorized in current
connection. After receiving the 421 response a client will be able
to open a new connection, provide the required certificate and retry
the request.
Unfortunately, not all clients currently are able to handle it well.
Notably Chrome just shows an error, while at least the latest version
of Firefox retries the request over a new connection.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Fri, 20 May 2016 18:41:17 +0300 |
parents | ec01b1d1fff1 |
children | 51e1f047d15d |
rev | line source |
---|---|
539 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
539 | 5 */ |
6 | |
7 | |
1136 | 8 #ifndef _NGX_MAIL_SSL_H_INCLUDED_ |
9 #define _NGX_MAIL_SSL_H_INCLUDED_ | |
539 | 10 |
11 | |
12 #include <ngx_config.h> | |
13 #include <ngx_core.h> | |
1136 | 14 #include <ngx_mail.h> |
539 | 15 |
16 | |
1136 | 17 #define NGX_MAIL_STARTTLS_OFF 0 |
18 #define NGX_MAIL_STARTTLS_ON 1 | |
19 #define NGX_MAIL_STARTTLS_ONLY 2 | |
583 | 20 |
21 | |
539 | 22 typedef struct { |
976 | 23 ngx_flag_t enable; |
2224 | 24 ngx_flag_t prefer_server_ciphers; |
976 | 25 |
26 ngx_ssl_t ssl; | |
547 | 27 |
2224 | 28 ngx_uint_t starttls; |
976 | 29 ngx_uint_t protocols; |
547 | 30 |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
31 ngx_uint_t verify; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
32 ngx_uint_t verify_depth; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
33 |
976 | 34 ssize_t builtin_session_cache; |
547 | 35 |
976 | 36 time_t session_timeout; |
573 | 37 |
976 | 38 ngx_str_t certificate; |
39 ngx_str_t certificate_key; | |
2044 | 40 ngx_str_t dhparam; |
3960 | 41 ngx_str_t ecdh_curve; |
5989
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
42 ngx_str_t client_certificate; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
43 ngx_str_t trusted_certificate; |
ec01b1d1fff1
Mail: client SSL certificates support.
Maxim Dounin <mdounin@mdounin.ru>
parents:
5744
diff
changeset
|
44 ngx_str_t crl; |
539 | 45 |
976 | 46 ngx_str_t ciphers; |
539 | 47 |
5744
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
48 ngx_array_t *passwords; |
42114bf12da0
SSL: the "ssl_password_file" directive.
Valentin Bartenev <vbart@nginx.com>
parents:
5503
diff
changeset
|
49 |
976 | 50 ngx_shm_zone_t *shm_zone; |
2224 | 51 |
5503
d049b0ea00a3
SSL: ssl_session_tickets directive.
Dirkjan Bussink <d.bussink@gmail.com>
parents:
5425
diff
changeset
|
52 ngx_flag_t session_tickets; |
5425
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
4412
diff
changeset
|
53 ngx_array_t *session_ticket_keys; |
1356a3b96924
SSL: added ability to set keys used for Session Tickets (RFC5077).
Piotr Sikora <piotr@cloudflare.com>
parents:
4412
diff
changeset
|
54 |
2224 | 55 u_char *file; |
56 ngx_uint_t line; | |
1136 | 57 } ngx_mail_ssl_conf_t; |
539 | 58 |
59 | |
1136 | 60 extern ngx_module_t ngx_mail_ssl_module; |
539 | 61 |
62 | |
1136 | 63 #endif /* _NGX_MAIL_SSL_H_INCLUDED_ */ |