nginx: src/http/modules/ngx_http_ssl

comparison src/http/modules/ngx_http_ssl_module.c @ 7934:61abb35bb8cf

HTTP/2: removed support for NPN. NPN was replaced with ALPN, published as RFC 7301 in July 2014. It used to negotiate SPDY (and, in transition, HTTP/2). NPN supported appeared in OpenSSL 1.0.1. It does not work with TLSv1.3 [1]. ALPN is supported since OpenSSL 1.0.2. The NPN support was dropped in Firefox 53 [2] and Chrome 51 [3]. [1] https://github.com/openssl/openssl/issues/3665. [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1248198 [3] https://www.chromestatus.com/feature/5767920709795840

author	Vladimir Homutov <vl@nginx.com>
date	Fri, 15 Oct 2021 10:02:15 +0300
parents	419c066cb710
children	eb6c77e6d55d

comparison

equal deleted inserted replaced

-:2f443cac3f1e
+:61abb35bb8cf
 #define NGX_DEFAULT_CIPHERS     "HIGH:!aNULL:!MD5"
 #define NGX_DEFAULT_ECDH_CURVE  "auto"
-#define NGX_HTTP_NPN_ADVERTISE  "\x08http/1.1"
+#define NGX_HTTP_ALPN_PROTO     "\x08http/1.1"
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
 const unsigned char **out, unsigned char *outlen,
 const unsigned char *in, unsigned int inlen, void *arg);
-#endif
-#ifdef TLSEXT_TYPE_next_proto_neg
-static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
-const unsigned char **out, unsigned int *outlen, void *arg);
 #endif
 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
 ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
 #if (NGX_HTTP_V2)
 hc = c->data;
 if (hc->addr_conf->http2) {
-srv =
+srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO;
-(unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
+srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO) - 1;
-srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
 } else
 #endif
 {
-srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
+srv = (unsigned char *) NGX_HTTP_ALPN_PROTO;
-srvlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
+srvlen = sizeof(NGX_HTTP_ALPN_PROTO) - 1;
 }
 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
 in, inlen)
 != OPENSSL_NPN_NEGOTIATED)
 return SSL_TLSEXT_ERR_NOACK;
 }
 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
 "SSL ALPN selected: %*s", (size_t) *outlen, *out);
-return SSL_TLSEXT_ERR_OK;
-}
-#endif
-#ifdef TLSEXT_TYPE_next_proto_neg
-static int
-ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
-const unsigned char **out, unsigned int *outlen, void *arg)
-{
-#if (NGX_HTTP_V2 || NGX_DEBUG)
-ngx_connection_t  *c;
-c = ngx_ssl_get_connection(ssl_conn);
-ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised");
-#endif
-#if (NGX_HTTP_V2)
-{
-ngx_http_connection_t  *hc;
-hc = c->data;
-if (hc->addr_conf->http2) {
-*out =
-(unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
-*outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
-return SSL_TLSEXT_ERR_OK;
-}
-}
-#endif
-*out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
-*outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
 return SSL_TLSEXT_ERR_OK;
 }
 #endif
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL);
 #endif
-#ifdef TLSEXT_TYPE_next_proto_neg
-SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx,
-ngx_http_ssl_npn_advertised, NULL);
-#endif
 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
 conf->prefer_server_ciphers)
 != NGX_OK)
 {
 return NGX_CONF_ERROR;

Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 7934:61abb35bb8cf