Mercurial > hg > nginx-site
changeset 2219:f1e12641fc8a
Documented TLS 1.3 early data.
author | Yaroslav Zhuravlev <yar@nginx.com> |
---|---|
date | Wed, 15 Aug 2018 12:54:52 +0300 |
parents | 8be9700e9dd7 |
children | 896562a1ccde |
files | xml/en/docs/http/ngx_http_ssl_module.xml xml/ru/docs/http/ngx_http_ssl_module.xml |
diffstat | 2 files changed, 66 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/xml/en/docs/http/ngx_http_ssl_module.xml +++ b/xml/en/docs/http/ngx_http_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Module ngx_http_ssl_module" link="/en/docs/http/ngx_http_ssl_module.html" lang="en" - rev="39"> + rev="40"> <section id="summary"> @@ -288,6 +288,25 @@ Specifies a <value>file</value> with DH </directive> +<directive name="ssl_early_data"> +<syntax><literal>on</literal> | <literal>off</literal></syntax> +<default>off</default> +<context>http</context> +<context>server</context> +<appeared-in>1.15.3</appeared-in> + +<para> +Enables or disables TLS 1.3 +<link url="https://tools.ietf.org/html/rfc8446#section-2.3">early data</link>. +<note> +Requests sent within early data are subject to +<link id="var_ssl_early_data">replay attacks</link>. +</note> +</para> + +</directive> + + <directive name="ssl_ecdh_curve"> <syntax><value>curve</value></syntax> <default>auto</default> @@ -879,6 +898,19 @@ The variable is available only for new s </note> </tag-desc> +<tag-name id="var_ssl_early_data"><var>$ssl_early_data</var></tag-name> +<tag-desc> +returns “<literal>1</literal>” if +TLS 1.3 early data is <link id="ssl_early_data">used</link> +and the handshake is not complete, otherwise “” (1.15.3). +The variable is used to protect against +<link url="https://tools.ietf.org/html/draft-ietf-httpbis-replay-04">replay attacks</link> +at the application layer: +<example> +proxy_set_header Early-Data $ssl_early_data; +</example> +</tag-desc> + <tag-name id="var_ssl_protocol"><var>$ssl_protocol</var></tag-name> <tag-desc> returns the protocol of an established SSL connection;
--- a/xml/ru/docs/http/ngx_http_ssl_module.xml +++ b/xml/ru/docs/http/ngx_http_ssl_module.xml @@ -10,7 +10,7 @@ <module name="Модуль ngx_http_ssl_module" link="/ru/docs/http/ngx_http_ssl_module.html" lang="ru" - rev="39"> + rev="40"> <section id="summary"> @@ -290,6 +290,25 @@ PEM, которые используются для </directive> +<directive name="ssl_early_data"> +<syntax><literal>on</literal> | <literal>off</literal></syntax> +<default>off</default> +<context>http</context> +<context>server</context> +<appeared-in>1.15.3</appeared-in> + +<para> +Разрешает или запрещает TLS 1.3 +<link url="https://tools.ietf.org/html/rfc8446#section-2.3">early data</link>. +<note> +Запросы, отправленные внутри early data, могут быть подвержены +<link id="var_ssl_early_data">атакам повторного воспроизведения</link> (replay). +</note> +</para> + +</directive> + + <directive name="ssl_ecdh_curve"> <syntax><value>кривая</value></syntax> <default>auto</default> @@ -883,6 +902,19 @@ 0x001d:prime256v1:secp521r1:secp384r1 </note> </tag-desc> +<tag-name id="var_ssl_early_data"><var>$ssl_early_data</var></tag-name> +<tag-desc> +возвращает “<literal>1</literal>”, если +<link id="ssl_early_data">используется</link> TLS 1.3 early data +и операция handshake не завершена, иначе “” (1.15.3). +Переменная используется для защиты от +<link url="https://tools.ietf.org/html/draft-ietf-httpbis-replay-04">атак +повторного воспроизведения </link> (replay) на уровне приложения: +<example> +proxy_set_header Early-Data $ssl_early_data; +</example> +</tag-desc> + <tag-name id="var_ssl_protocol"><var>$ssl_protocol</var></tag-name> <tag-desc> возвращает протокол установленного SSL-соединения;