Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 5545:01e2a5bcdd8f
SSL: support ALPN (IETF's successor to NPN).
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
author | Piotr Sikora <piotr@cloudflare.com> |
---|---|
date | Tue, 28 Jan 2014 15:33:49 -0800 |
parents | 8ed467553f6b |
children | 7c05f6590753 |
comparison
equal
deleted
inserted
replaced
5544:2f586f1684fa | 5545:01e2a5bcdd8f |
---|---|
15 | 15 |
16 | 16 |
17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | 18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" |
19 | 19 |
20 #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" | |
21 | |
22 | |
23 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | |
24 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, | |
25 const unsigned char **out, unsigned char *outlen, | |
26 const unsigned char *in, unsigned int inlen, void *arg); | |
27 #endif | |
20 | 28 |
21 #ifdef TLSEXT_TYPE_next_proto_neg | 29 #ifdef TLSEXT_TYPE_next_proto_neg |
22 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, | 30 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, |
23 const unsigned char **out, unsigned int *outlen, void *arg); | 31 const unsigned char **out, unsigned int *outlen, void *arg); |
24 #endif | 32 #endif |
286 | 294 |
287 | 295 |
288 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); | 296 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
289 | 297 |
290 | 298 |
299 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | |
300 | |
301 static int | |
302 ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, | |
303 unsigned char *outlen, const unsigned char *in, unsigned int inlen, | |
304 void *arg) | |
305 { | |
306 unsigned int srvlen; | |
307 unsigned char *srv; | |
308 #if (NGX_DEBUG) | |
309 unsigned int i; | |
310 #endif | |
311 #if (NGX_HTTP_SPDY) | |
312 ngx_http_connection_t *hc; | |
313 #endif | |
314 #if (NGX_HTTP_SPDY || NGX_DEBUG) | |
315 ngx_connection_t *c; | |
316 | |
317 c = ngx_ssl_get_connection(ssl_conn); | |
318 #endif | |
319 | |
320 #if (NGX_DEBUG) | |
321 for (i = 0; i < inlen; i += in[i] + 1) { | |
322 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
323 "SSL ALPN supported by client: %*s", in[i], &in[i + 1]); | |
324 } | |
325 #endif | |
326 | |
327 #if (NGX_HTTP_SPDY) | |
328 hc = c->data; | |
329 | |
330 if (hc->addr_conf->spdy) { | |
331 srv = (unsigned char *) NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; | |
332 srvlen = sizeof(NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; | |
333 | |
334 } else | |
335 #endif | |
336 { | |
337 srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE; | |
338 srvlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1; | |
339 } | |
340 | |
341 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, | |
342 in, inlen) | |
343 != OPENSSL_NPN_NEGOTIATED) | |
344 { | |
345 return SSL_TLSEXT_ERR_NOACK; | |
346 } | |
347 | |
348 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, | |
349 "SSL ALPN selected: %*s", *outlen, *out); | |
350 | |
351 return SSL_TLSEXT_ERR_OK; | |
352 } | |
353 | |
354 #endif | |
355 | |
356 | |
291 #ifdef TLSEXT_TYPE_next_proto_neg | 357 #ifdef TLSEXT_TYPE_next_proto_neg |
292 | |
293 #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" | |
294 | 358 |
295 static int | 359 static int |
296 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, | 360 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, |
297 const unsigned char **out, unsigned int *outlen, void *arg) | 361 const unsigned char **out, unsigned int *outlen, void *arg) |
298 { | 362 { |
559 "therefore SNI is not available"); | 623 "therefore SNI is not available"); |
560 } | 624 } |
561 | 625 |
562 #endif | 626 #endif |
563 | 627 |
628 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | |
629 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL); | |
630 #endif | |
631 | |
564 #ifdef TLSEXT_TYPE_next_proto_neg | 632 #ifdef TLSEXT_TYPE_next_proto_neg |
565 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx, | 633 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx, |
566 ngx_http_ssl_npn_advertised, NULL); | 634 ngx_http_ssl_npn_advertised, NULL); |
567 #endif | 635 #endif |
568 | 636 |