Mercurial > hg > nginx
comparison src/event/ngx_event_openssl.c @ 7333:ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is
specified in the configuration (default is off).
The $ssl_early_data variable evaluates to "1" if the SSL handshake
isn't yet completed, and can be used to set the Early-Data header as
per draft-ietf-httpbis-replay-04.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 07 Aug 2018 02:16:07 +0300 |
| parents | 7ad0f4ace359 |
| children | 0de0b16a551c |
comparison
equal
deleted
inserted
replaced
| 7332:7ad0f4ace359 | 7333:ba971deb4b44 |
|---|---|
| 1160 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); | 1160 SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); |
| 1161 | 1161 |
| 1162 EC_KEY_free(ecdh); | 1162 EC_KEY_free(ecdh); |
| 1163 #endif | 1163 #endif |
| 1164 #endif | 1164 #endif |
| 1165 #endif | |
| 1166 | |
| 1167 return NGX_OK; | |
| 1168 } | |
| 1169 | |
| 1170 | |
| 1171 ngx_int_t | |
| 1172 ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable) | |
| 1173 { | |
| 1174 if (!enable) { | |
| 1175 return NGX_OK; | |
| 1176 } | |
| 1177 | |
| 1178 #ifdef SSL_ERROR_EARLY_DATA_REJECTED | |
| 1179 | |
| 1180 /* BoringSSL */ | |
| 1181 | |
| 1182 SSL_CTX_set_early_data_enabled(ssl->ctx, 1); | |
| 1183 | |
| 1184 #else | |
| 1185 ngx_log_error(NGX_LOG_WARN, ssl->log, 0, | |
| 1186 "\"ssl_early_data\" is not supported on this platform, " | |
| 1187 "ignored"); | |
| 1165 #endif | 1188 #endif |
| 1166 | 1189 |
| 1167 return NGX_OK; | 1190 return NGX_OK; |
| 1168 } | 1191 } |
| 1169 | 1192 |
| 3622 return NGX_OK; | 3645 return NGX_OK; |
| 3623 } | 3646 } |
| 3624 | 3647 |
| 3625 | 3648 |
| 3626 ngx_int_t | 3649 ngx_int_t |
| 3650 ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | |
| 3651 { | |
| 3652 s->len = 0; | |
| 3653 | |
| 3654 #ifdef SSL_ERROR_EARLY_DATA_REJECTED | |
| 3655 if (SSL_in_early_data(c->ssl->connection)) { | |
| 3656 ngx_str_set(s, "1"); | |
| 3657 } | |
| 3658 #endif | |
| 3659 | |
| 3660 return NGX_OK; | |
| 3661 } | |
| 3662 | |
| 3663 | |
| 3664 ngx_int_t | |
| 3627 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) | 3665 ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) |
| 3628 { | 3666 { |
| 3629 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME | 3667 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME |
| 3630 | 3668 |
| 3631 size_t len; | 3669 size_t len; |