Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 5106:afee87b8190a
SSL: Next Protocol Negotiation extension support.
Not only this is useful for the upcoming SPDY support, but it can
also help to improve HTTPS performance by enabling TLS False Start
in Chrome/Chromium browsers [1]. So, we always enable NPN for HTTPS
if it is supported by OpenSSL.
[1] http://www.imperialviolet.org/2012/04/11/falsestart.html
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Thu, 07 Mar 2013 18:21:28 +0000 |
parents | 9ea42922a395 |
children | c0f7b94e88ba |
comparison
equal
deleted
inserted
replaced
5105:4d67b696388f | 5106:afee87b8190a |
---|---|
15 | 15 |
16 | 16 |
17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" | 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" |
18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" | 18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1" |
19 | 19 |
20 | |
21 #ifdef TLSEXT_TYPE_next_proto_neg | |
22 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, | |
23 const unsigned char **out, unsigned int *outlen, void *arg); | |
24 #endif | |
20 | 25 |
21 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, | 26 static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r, |
22 ngx_http_variable_value_t *v, uintptr_t data); | 27 ngx_http_variable_value_t *v, uintptr_t data); |
23 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, | 28 static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r, |
24 ngx_http_variable_value_t *v, uintptr_t data); | 29 ngx_http_variable_value_t *v, uintptr_t data); |
258 { ngx_null_string, NULL, NULL, 0, 0, 0 } | 263 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
259 }; | 264 }; |
260 | 265 |
261 | 266 |
262 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); | 267 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
268 | |
269 | |
270 #ifdef TLSEXT_TYPE_next_proto_neg | |
271 | |
272 #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" | |
273 | |
274 static int | |
275 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, | |
276 const unsigned char **out, unsigned int *outlen, void *arg) | |
277 { | |
278 #if (NGX_DEBUG) | |
279 ngx_connection_t *c; | |
280 | |
281 c = ngx_ssl_get_connection(ssl_conn); | |
282 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised"); | |
283 #endif | |
284 | |
285 *out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE; | |
286 *outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1; | |
287 | |
288 return SSL_TLSEXT_ERR_OK; | |
289 } | |
290 | |
291 #endif | |
263 | 292 |
264 | 293 |
265 static ngx_int_t | 294 static ngx_int_t |
266 ngx_http_ssl_static_variable(ngx_http_request_t *r, | 295 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
267 ngx_http_variable_value_t *v, uintptr_t data) | 296 ngx_http_variable_value_t *v, uintptr_t data) |
488 "therefore SNI is not available"); | 517 "therefore SNI is not available"); |
489 } | 518 } |
490 | 519 |
491 #endif | 520 #endif |
492 | 521 |
522 #ifdef TLSEXT_TYPE_next_proto_neg | |
523 SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx, | |
524 ngx_http_ssl_npn_advertised, NULL); | |
525 #endif | |
526 | |
493 cln = ngx_pool_cleanup_add(cf->pool, 0); | 527 cln = ngx_pool_cleanup_add(cf->pool, 0); |
494 if (cln == NULL) { | 528 if (cln == NULL) { |
495 return NGX_CONF_ERROR; | 529 return NGX_CONF_ERROR; |
496 } | 530 } |
497 | 531 |