Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssl_module.c @ 7333:ba971deb4b44
SSL: support for TLSv1.3 early data with BoringSSL.
Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is
specified in the configuration (default is off).
The $ssl_early_data variable evaluates to "1" if the SSL handshake
isn't yet completed, and can be used to set the Early-Data header as
per draft-ietf-httpbis-replay-04.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 07 Aug 2018 02:16:07 +0300 |
parents | 46c0c7ef4913 |
children | be2af41d3620 |
comparison
equal
deleted
inserted
replaced
7332:7ad0f4ace359 | 7333:ba971deb4b44 |
---|---|
235 { ngx_string("ssl_stapling_verify"), | 235 { ngx_string("ssl_stapling_verify"), |
236 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | 236 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, |
237 ngx_conf_set_flag_slot, | 237 ngx_conf_set_flag_slot, |
238 NGX_HTTP_SRV_CONF_OFFSET, | 238 NGX_HTTP_SRV_CONF_OFFSET, |
239 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), | 239 offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), |
240 NULL }, | |
241 | |
242 { ngx_string("ssl_early_data"), | |
243 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, | |
244 ngx_conf_set_flag_slot, | |
245 NGX_HTTP_SRV_CONF_OFFSET, | |
246 offsetof(ngx_http_ssl_srv_conf_t, early_data), | |
240 NULL }, | 247 NULL }, |
241 | 248 |
242 ngx_null_command | 249 ngx_null_command |
243 }; | 250 }; |
244 | 251 |
292 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 299 (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
293 | 300 |
294 { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable, | 301 { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable, |
295 (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 302 (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
296 | 303 |
304 { ngx_string("ssl_early_data"), NULL, ngx_http_ssl_variable, | |
305 (uintptr_t) ngx_ssl_get_early_data, | |
306 NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, | |
307 | |
297 { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable, | 308 { ngx_string("ssl_server_name"), NULL, ngx_http_ssl_variable, |
298 (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 309 (uintptr_t) ngx_ssl_get_server_name, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
299 | 310 |
300 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, | 311 { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, |
301 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, | 312 (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, |
550 * sscf->stapling_responder = { 0, NULL }; | 561 * sscf->stapling_responder = { 0, NULL }; |
551 */ | 562 */ |
552 | 563 |
553 sscf->enable = NGX_CONF_UNSET; | 564 sscf->enable = NGX_CONF_UNSET; |
554 sscf->prefer_server_ciphers = NGX_CONF_UNSET; | 565 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
566 sscf->early_data = NGX_CONF_UNSET; | |
555 sscf->buffer_size = NGX_CONF_UNSET_SIZE; | 567 sscf->buffer_size = NGX_CONF_UNSET_SIZE; |
556 sscf->verify = NGX_CONF_UNSET_UINT; | 568 sscf->verify = NGX_CONF_UNSET_UINT; |
557 sscf->verify_depth = NGX_CONF_UNSET_UINT; | 569 sscf->verify_depth = NGX_CONF_UNSET_UINT; |
558 sscf->certificates = NGX_CONF_UNSET_PTR; | 570 sscf->certificates = NGX_CONF_UNSET_PTR; |
559 sscf->certificate_keys = NGX_CONF_UNSET_PTR; | 571 sscf->certificate_keys = NGX_CONF_UNSET_PTR; |
592 prev->session_timeout, 300); | 604 prev->session_timeout, 300); |
593 | 605 |
594 ngx_conf_merge_value(conf->prefer_server_ciphers, | 606 ngx_conf_merge_value(conf->prefer_server_ciphers, |
595 prev->prefer_server_ciphers, 0); | 607 prev->prefer_server_ciphers, 0); |
596 | 608 |
609 ngx_conf_merge_value(conf->early_data, prev->early_data, 0); | |
610 | |
597 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, | 611 ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, |
598 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 | 612 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
599 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); | 613 |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); |
600 | 614 |
601 ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size, | 615 ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size, |
805 != NGX_OK) | 819 != NGX_OK) |
806 { | 820 { |
807 return NGX_CONF_ERROR; | 821 return NGX_CONF_ERROR; |
808 } | 822 } |
809 | 823 |
824 } | |
825 | |
826 if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) { | |
827 return NGX_CONF_ERROR; | |
810 } | 828 } |
811 | 829 |
812 return NGX_CONF_OK; | 830 return NGX_CONF_OK; |
813 } | 831 } |
814 | 832 |