On 31.03.2015 19:12, j...@apache.org wrote: > Author: jim > Date: Tue Mar 31 17:12:51 2015 > New Revision: 1670397 > > URL: http://svn.apache.org/r1670397 > Log: > ALPN support, based on mod_spdy/mod_h2 patch set > > Modified: > httpd/httpd/trunk/modules/ssl/mod_ssl.c > httpd/httpd/trunk/modules/ssl/mod_ssl.h > httpd/httpd/trunk/modules/ssl/ssl_engine_config.c > httpd/httpd/trunk/modules/ssl/ssl_engine_io.c > httpd/httpd/trunk/modules/ssl/ssl_private.h > > Modified: httpd/httpd/trunk/modules/ssl/mod_ssl.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/mod_ssl.c?rev=1670397&r1=1670396&r2=1670397&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/mod_ssl.c (original) > +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c Tue Mar 31 17:12:51 2015 > @@ -283,6 +283,12 @@ static const command_rec ssl_config_cmds > "OpenSSL configuration command") > #endif > > +#if defined(HAVE_TLS_ALPN) || defined(HAVE_TLS_NPN) > + SSL_CMD_SRV(AlpnPreference, ITERATE, > + "Preference in Application-Layer Protocol Negotiation > (ALPN), " > + "protocols are chosed in the specified order") > +#endif > +
s/chosed/chosen/ - and please add docs for this to mod_ssl.xml, too. > Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1670397&r1=1670396&r2=1670397&view=diff > ============================================================================== > --- httpd/httpd/trunk/modules/ssl/ssl_private.h (original) > +++ httpd/httpd/trunk/modules/ssl/ssl_private.h Tue Mar 31 17:12:51 2015 > @@ -181,6 +181,16 @@ > #define HAVE_TLS_NPN > #endif > > +/* ALPN Protocol Negotiation */ > +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(OPENSSL_NO_TLSEXT) > +#define HAVE_TLS_ALPN > +#endif > + > +/* Next Protocol Negotiation */ > +#if !defined(OPENSSL_NO_NEXTPROTONEG) && !defined(OPENSSL_NO_TLSEXT) && > defined(OPENSSL_NPN_NEGOTIATED) > +#define HAVE_TLS_NPN > +#endif > + Instead of hardcoding OpenSSL version numbers, we should rely on feature-based detection - in this case, we can use #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) (see https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b0d6f3c58fc86756574b410cb6a32589477d3954, the ALPN backport to 1.0.2) Also, the two "&& !defined(OPENSSL_NO_TLSEXT)" can be dropped, since we're already in a larger "#if !defined(OPENSSL_NO_TLSEXT) ..." block. And with regard to: On 01.04.2015 22:33, Jim Jagielski wrote: > Yeah, I agree. Right now, trunk pretty much uses > > #ifdef HAVE_TLS_ALPN > blah blah > #endif > #ifdef HAVE_TLS_NPN > blah2 blah2 > #endif > > Instead of > > #if defined(HAVE_TLS_NPN) || defined(HAVE_TLS_ALPN) > > so that "ripping out" NPN would be easier. The question is > which to use for 2.4... My vote is clearly for only having ALPN in 2.4 - implementations of draft protocol versions shouldn't creep into stable httpd releases, in particular when they have been superseded by a standards-track RFC meanwhile (RFC 7301 was published in July 2014, and even Google has announced its plans to drop NPN early next year, http://blog.chromium.org/2015/02/hello-http2-goodbye-spdy-http-is_9.html). Kaspar
