changeset 6345:5ae5142d39a3 stable-1.8

SSL: only select SPDY using NPN if "spdy" is enabled. OpenSSL doesn't check if the negotiated protocol has been announced. As a result, the client might force using SPDY even if it wasn't enabled in configuration.
author Valentin Bartenev <vbart@nginx.com>
date Thu, 05 Nov 2015 15:01:09 +0300
parents a8ecb0a2193f
children e9a4531a2a5d
files src/http/ngx_http_request.c
diffstat 1 files changed, 16 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -770,24 +770,32 @@ ngx_http_ssl_handshake_handler(ngx_conne
         {
         unsigned int             len;
         const unsigned char     *data;
+        ngx_http_connection_t   *hc;
         static const ngx_str_t   spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED);
 
+        hc = c->data;
+
+        if (hc->addr_conf->spdy) {
+
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
-        SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
+            SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
 
 #ifdef TLSEXT_TYPE_next_proto_neg
-        if (len == 0) {
-            SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
-        }
+            if (len == 0) {
+                SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
+            }
 #endif
 
 #else /* TLSEXT_TYPE_next_proto_neg */
-        SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
+            SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len);
 #endif
 
-        if (len == spdy.len && ngx_strncmp(data, spdy.data, spdy.len) == 0) {
-            ngx_http_spdy_init(c->read);
-            return;
+            if (len == spdy.len
+                && ngx_strncmp(data, spdy.data, spdy.len) == 0)
+            {
+                ngx_http_spdy_init(c->read);
+                return;
+            }
         }
         }
 #endif