Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 8889:61d0fa67b55e quic
Merged with the default branch.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 03 Nov 2021 11:22:07 +0300 |
parents | e5a17d6041bd db6b630e6086 |
children | 606bf52888d2 |
comparison
equal
deleted
inserted
replaced
8888:6d1488b62dc5 | 8889:61d0fa67b55e |
---|---|
15 | 15 |
16 | 16 |
17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
18 #define NGX_DEFAULT_ECDH_CURVE "auto" | 18 #define NGX_DEFAULT_ECDH_CURVE "auto" |
19 | 19 |
20 #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" | 20 #define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9" |
21 | 21 |
22 | 22 |
23 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | 23 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
24 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, | 24 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, |
25 const unsigned char **out, unsigned char *outlen, | 25 const unsigned char **out, unsigned char *outlen, |
26 const unsigned char *in, unsigned int inlen, void *arg); | 26 const unsigned char *in, unsigned int inlen, void *arg); |
27 #endif | |
28 | |
29 #ifdef TLSEXT_TYPE_next_proto_neg | |
30 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, | |
31 const unsigned char **out, unsigned int *outlen, void *arg); | |
32 #endif | 27 #endif |
33 | 28 |
34 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, | 29 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
35 ngx_http_variable_value_t *v, uintptr_t data); | 30 ngx_http_variable_value_t *v, uintptr_t data); |
36 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, | 31 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
361 NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, | 356 NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, |
362 | 357 |
363 { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable, | 358 { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable, |
364 (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 359 (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
365 | 360 |
361 { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable, | |
362 (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 }, | |
363 | |
366 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, | 364 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
367 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 365 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
368 | 366 |
369 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, | 367 { ngx_string("ssl_client_raw_cert"), NULL, ngx_http_ssl_variable, |
370 (uintptr_t) ngx_ssl_get_raw_certificate, | 368 (uintptr_t) ngx_ssl_get_raw_certificate, |
447 hc = c->data; | 445 hc = c->data; |
448 #endif | 446 #endif |
449 | 447 |
450 #if (NGX_HTTP_V2) | 448 #if (NGX_HTTP_V2) |
451 if (hc->addr_conf->http2) { | 449 if (hc->addr_conf->http2) { |
452 srv = | 450 srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS; |
453 (unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; | 451 srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1; |
454 srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; | |
455 | |
456 } else | 452 } else |
457 #endif | 453 #endif |
458 #if (NGX_HTTP_QUIC) | 454 #if (NGX_HTTP_QUIC) |
459 if (hc->addr_conf->quic) { | 455 if (hc->addr_conf->quic) { |
460 #if (NGX_HTTP_V3) | 456 #if (NGX_HTTP_V3) |
482 } | 478 } |
483 | 479 |
484 } else | 480 } else |
485 #endif | 481 #endif |
486 { | 482 { |
487 srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE; | 483 srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS; |
488 srvlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1; | 484 srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1; |
489 } | 485 } |
490 | 486 |
491 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, | 487 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, |
492 in, inlen) | 488 in, inlen) |
493 != OPENSSL_NPN_NEGOTIATED) | 489 != OPENSSL_NPN_NEGOTIATED) |
494 { | 490 { |
495 return SSL_TLSEXT_ERR_NOACK; | 491 return SSL_TLSEXT_ERR_ALERT_FATAL; |
496 } | 492 } |
497 | 493 |
498 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, | 494 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, |
499 "SSL ALPN selected: %*s", (size_t) *outlen, *out); | 495 "SSL ALPN selected: %*s", (size_t) *outlen, *out); |
500 | |
501 return SSL_TLSEXT_ERR_OK; | |
502 } | |
503 | |
504 #endif | |
505 | |
506 | |
507 #ifdef TLSEXT_TYPE_next_proto_neg | |
508 | |
509 static int | |
510 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, | |
511 const unsigned char **out, unsigned int *outlen, void *arg) | |
512 { | |
513 #if (NGX_HTTP_V2 || NGX_DEBUG) | |
514 ngx_connection_t *c; | |
515 | |
516 c = ngx_ssl_get_connection(ssl_conn); | |
517 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised"); | |
518 #endif | |
519 | |
520 #if (NGX_HTTP_V2) | |
521 { | |
522 ngx_http_connection_t *hc; | |
523 | |
524 hc = c->data; | |
525 | |
526 if (hc->addr_conf->http2) { | |
527 *out = | |
528 (unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; | |
529 *outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; | |
530 | |
531 return SSL_TLSEXT_ERR_OK; | |
532 } | |
533 } | |
534 #endif | |
535 | |
536 *out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE; | |
537 *outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1; | |
538 | 496 |
539 return SSL_TLSEXT_ERR_OK; | 497 return SSL_TLSEXT_ERR_OK; |
540 } | 498 } |
541 | 499 |
542 #endif | 500 #endif |
823 | 781 |
824 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation | 782 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation |
825 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL); | 783 SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL); |
826 #endif | 784 #endif |
827 | 785 |
828 #ifdef TLSEXT_TYPE_next_proto_neg | |
829 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx, | |
830 ngx_http_ssl_npn_advertised, NULL); | |
831 #endif | |
832 | |
833 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, | 786 if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, |
834 conf->prefer_server_ciphers) | 787 conf->prefer_server_ciphers) |
835 != NGX_OK) | 788 != NGX_OK) |
836 { | 789 { |
837 return NGX_CONF_ERROR; | 790 return NGX_CONF_ERROR; |