Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 7934:61abb35bb8cf
HTTP/2: removed support for NPN.
NPN was replaced with ALPN, published as RFC 7301 in July 2014.
It used to negotiate SPDY (and, in transition, HTTP/2).
NPN supported appeared in OpenSSL 1.0.1. It does not work with TLSv1.3 [1].
ALPN is supported since OpenSSL 1.0.2.
The NPN support was dropped in Firefox 53 [2] and Chrome 51 [3].
[1] https://github.com/openssl/openssl/issues/3665.
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1248198
[3] https://www.chromestatus.com/feature/5767920709795840
author | Vladimir Homutov <vl@nginx.com> |
---|---|
date | Fri, 15 Oct 2021 10:02:15 +0300 |
parents | 419c066cb710 |
children | eb6c77e6d55d |
comparison
equal
deleted
inserted
replaced
7933:2f443cac3f1e | 7934:61abb35bb8cf |
---|---|
15 | 15 |
16 | 16 |
17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
18 #define NGX_DEFAULT_ECDH_CURVE "auto" | 18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
19 | 19 |
20 #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" | 20 #define NGX_HTTP_ALPN_PROTO "\x08http/1.1" |
21 | 21 |
22 | 22 |
23 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | 23 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
24 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, | 24 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, |
25 const unsigned char **out, unsigned char *outlen, | 25 const unsigned char **out, unsigned char *outlen, |
26 const unsigned char *in, unsigned int inlen, void *arg); | 26 const unsigned char *in, unsigned int inlen, void *arg); |
27 #endif | |
28 | |
29 #ifdef TLSEXT_TYPE_next_proto_neg | |
30 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, | |
31 const unsigned char **out, unsigned int *outlen, void *arg); | |
32 #endif | 27 #endif |
33 | 28 |
34 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, | 29 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
35 ngx_http_variable_value_t *v, uintptr_t data); | 30 ngx_http_variable_value_t *v, uintptr_t data); |
36 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, | 31 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
442 | 437 |
443 #if (NGX_HTTP_V2) | 438 #if (NGX_HTTP_V2) |
444 hc = c->data; | 439 hc = c->data; |
445 | 440 |
446 if (hc->addr_conf->http2) { | 441 if (hc->addr_conf->http2) { |
447 srv = | 442 srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO; |
448 (unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; | 443 srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO) - 1; |
449 srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; | |
450 | 444 |
451 } else | 445 } else |
452 #endif | 446 #endif |
453 { | 447 { |
454 srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE; | 448 srv = (unsigned char *) NGX_HTTP_ALPN_PROTO; |
455 srvlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1; | 449 srvlen = sizeof(NGX_HTTP_ALPN_PROTO) - 1; |
456 } | 450 } |
457 | 451 |
458 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, | 452 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, |
459 in, inlen) | 453 in, inlen) |
460 != OPENSSL_NPN_NEGOTIATED) | 454 != OPENSSL_NPN_NEGOTIATED) |
462 return SSL_TLSEXT_ERR_NOACK; | 456 return SSL_TLSEXT_ERR_NOACK; |
463 } | 457 } |
464 | 458 |
465 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, | 459 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, |
466 "SSL ALPN selected: %*s", (size_t) *outlen, *out); | 460 "SSL ALPN selected: %*s", (size_t) *outlen, *out); |
467 | |
468 return SSL_TLSEXT_ERR_OK; | |
469 } | |
470 | |
471 #endif | |
472 | |
473 | |
474 #ifdef TLSEXT_TYPE_next_proto_neg | |
475 | |
476 static int | |
477 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, | |
478 const unsigned char **out, unsigned int *outlen, void *arg) | |
479 { | |
480 #if (NGX_HTTP_V2 || NGX_DEBUG) | |
481 ngx_connection_t *c; | |
482 | |
483 c = ngx_ssl_get_connection(ssl_conn); | |
484 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised"); | |
485 #endif | |
486 | |
487 #if (NGX_HTTP_V2) | |
488 { | |
489 ngx_http_connection_t *hc; | |
490 | |
491 hc = c->data; | |
492 | |
493 if (hc->addr_conf->http2) { | |
494 *out = | |
495 (unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; | |
496 *outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; | |
497 | |
498 return SSL_TLSEXT_ERR_OK; | |
499 } | |
500 } | |
501 #endif | |
502 | |
503 *out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE; | |
504 *outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1; | |
505 | 461 |
506 return SSL_TLSEXT_ERR_OK; | 462 return SSL_TLSEXT_ERR_OK; |
507 } | 463 } |
508 | 464 |
509 #endif | 465 #endif |
790 | 746 |
791 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | 747 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
792 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL); | 748 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL); |
793 #endif | 749 #endif |
794 | 750 |
795 #ifdef TLSEXT_TYPE_next_proto_neg | |
796 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx, | |
797 ngx_http_ssl_npn_advertised, NULL); | |
798 #endif | |
799 | |
800 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, | 751 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
801 conf->prefer_server_ciphers) | 752 conf->prefer_server_ciphers) |
802 != NGX_OK) | 753 != NGX_OK) |
803 { | 754 { |
804 return NGX_CONF_ERROR; | 755 return NGX_CONF_ERROR; |