Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 7333:ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is
specified in the configuration (default is off).
The $ssl_early_data variable evaluates to "1" if the SSL handshake
isn't yet completed, and can be used to set the Early-Data header as
per draft-ietf-httpbis-replay-04.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 07 Aug 2018 02:16:07 +0300 |
| parents | 46c0c7ef4913 |
| children | be2af41d3620 |
comparison
equal
deleted
inserted
replaced
| 7332:7ad0f4ace359 | 7333:ba971deb4b44 |
|---|---|
| 235 { ngx_string("ssl_stapling_verify"), | 235 { ngx_string("ssl_stapling_verify"), |
| 236 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 236 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
| 237 ngx_conf_set_flag_slot, | 237 ngx_conf_set_flag_slot, |
| 238 NGX_HTTP_SRV_CONF_OFFSET, | 238 NGX_HTTP_SRV_CONF_OFFSET, |
| 239 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), | 239 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), |
| 240 NULL }, | |
| 241 | |
| 242 { ngx_string("ssl_early_data"), | |
| 243 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
| 244 ngx_conf_set_flag_slot, | |
| 245 NGX_HTTP_SRV_CONF_OFFSET, | |
| 246 offsetof(ngx_http_ssl_srv_conf_t, early_data), | |
| 240 NULL }, | 247 NULL }, |
| 241 | 248 |
| 242 ngx_null_command | 249 ngx_null_command |
| 243 }; | 250 }; |
| 244 | 251 |
| 292 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 299 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
| 293 | 300 |
| 294 { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable, | 301 { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable, |
| 295 (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 302 (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
| 296 | 303 |
| 304 { ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable, | |
| 305 (uintptr_t) ngx_ssl_get_early_data, | |
| 306 NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, | |
| 307 | |
| 297 { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable, | 308 { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable, |
| 298 (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 309 (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
| 299 | 310 |
| 300 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, | 311 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
| 301 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 312 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
| 550 * sscf->stapling_responder = { 0, NULL }; | 561 * sscf->stapling_responder = { 0, NULL }; |
| 551 */ | 562 */ |
| 552 | 563 |
| 553 sscf->enable = NGX_CONF_UNSET; | 564 sscf->enable = NGX_CONF_UNSET; |
| 554 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | 565 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
| 566 sscf->early_data = NGX_CONF_UNSET; | |
| 555 sscf->buffer_size = NGX_CONF_UNSET_SIZE; | 567 sscf->buffer_size = NGX_CONF_UNSET_SIZE; |
| 556 sscf->verify = NGX_CONF_UNSET_UINT; | 568 sscf->verify = NGX_CONF_UNSET_UINT; |
| 557 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 569 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
| 558 sscf->certificates = NGX_CONF_UNSET_PTR; | 570 sscf->certificates = NGX_CONF_UNSET_PTR; |
| 559 sscf->certificate_keys = NGX_CONF_UNSET_PTR; | 571 sscf->certificate_keys = NGX_CONF_UNSET_PTR; |
| 592 prev->session_timeout, 300); | 604 prev->session_timeout, 300); |
| 593 | 605 |
| 594 ngx_conf_merge_value(conf->prefer_server_ciphers, | 606 ngx_conf_merge_value(conf->prefer_server_ciphers, |
| 595 prev->prefer_server_ciphers, 0); | 607 prev->prefer_server_ciphers, 0); |
| 596 | 608 |
| 609 ngx_conf_merge_value(conf->early_data, prev->early_data, 0); | |
| 610 | |
| 597 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | 611 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
| 598 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 | 612 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
| 599 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); | 613 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
| 600 | 614 |
| 601 ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size, | 615 ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size, |
| 805 != NGX_OK) | 819 != NGX_OK) |
| 806 { | 820 { |
| 807 return NGX_CONF_ERROR; | 821 return NGX_CONF_ERROR; |
| 808 } | 822 } |
| 809 | 823 |
| 824 } | |
| 825 | |
| 826 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { | |
| 827 return NGX_CONF_ERROR; | |
| 810 } | 828 } |
| 811 | 829 |
| 812 return NGX_CONF_OK; | 830 return NGX_CONF_OK; |
| 813 } | 831 } |
| 814 | 832 |