Mercurial > hg > nginx

comparison src/http/modules/ngx_http_ssl_module.c @ 7937:db6b630e6086

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
HTTP: connections with wrong ALPN protocols are now rejected. This is a recommended behavior by RFC 7301 and is useful for mitigation of protocol confusion attacks [1]. To avoid possible negative effects, list of supported protocols was extended to include all possible HTTP protocol ALPN IDs registered by IANA [2], i.e. "http/1.0" and "http/0.9". [1] https://alpaca-attack.com/ [2] https://www.iana.org/assignments/tls-extensiontype-values/
author Vladimir Homutov <vl@nginx.com>
date Wed, 20 Oct 2021 09:50:02 +0300
parents eb6c77e6d55d
children 3443c02ca1d1 61d0fa67b55e
comparison
equal deleted inserted replaced
7936:b9e02e9b2f1d 7937:db6b630e6086
15 15
16 16
17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" 17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
18 #define NGX_DEFAULT_ECDH_CURVE "auto" 18 #define NGX_DEFAULT_ECDH_CURVE "auto"
19 19
20 #define NGX_HTTP_ALPN_PROTO "\x08http/1.1" 20 #define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9"
21 21
22 22
23 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation 23 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
24 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, 24 static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn,
25 const unsigned char **out, unsigned char *outlen, 25 const unsigned char **out, unsigned char *outlen,
440 440
441 #if (NGX_HTTP_V2) 441 #if (NGX_HTTP_V2)
442 hc = c->data; 442 hc = c->data;
443 443
444 if (hc->addr_conf->http2) { 444 if (hc->addr_conf->http2) {
445 srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO; 445 srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS;
446 srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTO) - 1; 446 srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1;
447
448 } else 447 } else
449 #endif 448 #endif
450 { 449 {
451 srv = (unsigned char *) NGX_HTTP_ALPN_PROTO; 450 srv = (unsigned char *) NGX_HTTP_ALPN_PROTOS;
452 srvlen = sizeof(NGX_HTTP_ALPN_PROTO) - 1; 451 srvlen = sizeof(NGX_HTTP_ALPN_PROTOS) - 1;
453 } 452 }
454 453
455 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, 454 if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen,
456 in, inlen) 455 in, inlen)
457 != OPENSSL_NPN_NEGOTIATED) 456 != OPENSSL_NPN_NEGOTIATED)
458 { 457 {
459 return SSL_TLSEXT_ERR_NOACK; 458 return SSL_TLSEXT_ERR_ALERT_FATAL;
460 } 459 }
461 460
462 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, 461 ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,
463 "SSL ALPN selected: %*s", (size_t) *outlen, *out); 462 "SSL ALPN selected: %*s", (size_t) *outlen, *out);
464 463