Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 5106:afee87b8190a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSL: Next Protocol Negotiation extension support. Not only this is useful for the upcoming SPDY support, but it can also help to improve HTTPS performance by enabling TLS False Start in Chrome/Chromium browsers [1]. So, we always enable NPN for HTTPS if it is supported by OpenSSL. [1] http://www.imperialviolet.org/2012/04/11/falsestart.html
author Valentin Bartenev <vbart@nginx.com>
date Thu, 07 Mar 2013 18:21:28 +0000
parents 9ea42922a395
children c0f7b94e88ba
comparison
equal deleted inserted replaced
5105:4d67b696388f 5106:afee87b8190a
15 15
16 16
17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" 18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1"
19 19
20
21 #ifdef TLSEXT_TYPE_next_proto_neg
22 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
23 const unsigned char **out, unsigned int *outlen, void *arg);
24 #endif
20 25
21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, 26 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
22 ngx_http_variable_value_t *v, uintptr_t data); 27 ngx_http_variable_value_t *v, uintptr_t data);
23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, 28 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
24 ngx_http_variable_value_t *v, uintptr_t data); 29 ngx_http_variable_value_t *v, uintptr_t data);
258 { ngx_null_string, NULL, NULL, 0, 0, 0 } 263 { ngx_null_string, NULL, NULL, 0, 0, 0 }
259 }; 264 };
260 265
261 266
262 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); 267 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
268
269
270 #ifdef TLSEXT_TYPE_next_proto_neg
271
272 #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
273
274 static int
275 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
276 const unsigned char **out, unsigned int *outlen, void *arg)
277 {
278 #if (NGX_DEBUG)
279 ngx_connection_t *c;
280
281 c = ngx_ssl_get_connection(ssl_conn);
282 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised");
283 #endif
284
285 *out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
286 *outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
287
288 return SSL_TLSEXT_ERR_OK;
289 }
290
291 #endif
263 292
264 293
265 static ngx_int_t 294 static ngx_int_t
266 ngx_http_ssl_static_variable(ngx_http_request_t *r, 295 ngx_http_ssl_static_variable(ngx_http_request_t *r,
267 ngx_http_variable_value_t *v, uintptr_t data) 296 ngx_http_variable_value_t *v, uintptr_t data)
488 "therefore SNI is not available"); 517 "therefore SNI is not available");
489 } 518 }
490 519
491 #endif 520 #endif
492 521
522 #ifdef TLSEXT_TYPE_next_proto_neg
523 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx,
524 ngx_http_ssl_npn_advertised, NULL);
525 #endif
526
493 cln = ngx_pool_cleanup_add(cf->pool, 0); 527 cln = ngx_pool_cleanup_add(cf->pool, 0);
494 if (cln == NULL) { 528 if (cln == NULL) {
495 return NGX_CONF_ERROR; 529 return NGX_CONF_ERROR;
496 } 530 }
497 531