Hey Valentin, > These conditions look very excessive. I think we could leave this definition > without them.
Done. > I've checked out some references and it looks like I was right. > > See here for example: > http://www.esl-library.com/blog/2013/07/25/or-or-and-in-negative-sentences/ > http://forum.wordreference.com/showthread.php?t=577487&p=3234156#post3234156 OK, let's do it your way. > It seems to me, this part looks cleaner if you will avoid duplication > of spdy check: Yeah, you're right... I actually have something very similar in our internal tree, but that's because we're also rejecting unsupported application protocols: http://mailman.nginx.org/pipermail/nginx-devel/2013-April/003605.html > Same here. Let's just remove preprocessor condition at all. Done. Best regards, Piotr Sikora # HG changeset patch # User Piotr Sikora <pi...@cloudflare.com> # Date 1390952029 28800 # Tue Jan 28 15:33:49 2014 -0800 # Node ID f1b9281e85396409f1c56fc76637d39e6893abc8 # Parent fdb67cfc957d110ea887961cc8c08a590df5f62c SSL: support ALPN (IETF's successor to NPN). Signed-off-by: Piotr Sikora <pi...@cloudflare.com> diff -r fdb67cfc957d -r f1b9281e8539 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Tue Jan 28 15:40:46 2014 +0400 +++ b/src/http/modules/ngx_http_ssl_module.c Tue Jan 28 15:33:49 2014 -0800 @@ -17,6 +17,14 @@ typedef ngx_int_t (*ngx_ssl_variable_han #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" #define NGX_DEFAULT_ECDH_CURVE "prime256v1" +#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" + + +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation +static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, + const unsigned char **out, unsigned char *outlen, + const unsigned char *in, unsigned int inlen, void *arg); +#endif #ifdef TLSEXT_TYPE_next_proto_neg static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, @@ -288,10 +296,66 @@ static ngx_http_variable_t ngx_http_ssl static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + +static int +ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, + unsigned char *outlen, const unsigned char *in, unsigned int inlen, + void *arg) +{ + unsigned int srvlen; + unsigned char *srv; +#if (NGX_DEBUG) + unsigned int i; +#endif +#if (NGX_HTTP_SPDY) + ngx_http_connection_t *hc; +#endif +#if (NGX_HTTP_SPDY || NGX_DEBUG) + ngx_connection_t *c; + + c = ngx_ssl_get_connection(ssl_conn); +#endif + +#if (NGX_DEBUG) + for (i = 0; i < inlen; i += in[i] + 1) { + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, + "SSL ALPN supported by client: %*s", in[i], &in[i + 1]); + } +#endif + +#if (NGX_HTTP_SPDY) + hc = c->data; + + if (hc->addr_conf->spdy) { + srv = (unsigned char *) NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; + srvlen = sizeof(NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; + + } else +#endif + { + srv = (unsigned char *) NGX_HTTP_NPN_ADVERTISE; + srvlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1; + } + + if (SSL_select_next_proto((unsigned char **) out, outlen, srv, srvlen, + in, inlen) + != OPENSSL_NPN_NEGOTIATED) + { + return SSL_TLSEXT_ERR_NOACK; + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, + "SSL ALPN selected: %*s", *outlen, *out); + + return SSL_TLSEXT_ERR_OK; +} + +#endif + + #ifdef TLSEXT_TYPE_next_proto_neg -#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" - static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, unsigned int *outlen, void *arg) @@ -561,6 +625,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * #endif +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + SSL_CTX_set_alpn_select_cb(conf->ssl.ctx, ngx_http_ssl_alpn_select, NULL); +#endif + #ifdef TLSEXT_TYPE_next_proto_neg SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx, ngx_http_ssl_npn_advertised, NULL); diff -r fdb67cfc957d -r f1b9281e8539 src/http/ngx_http.c --- a/src/http/ngx_http.c Tue Jan 28 15:40:46 2014 +0400 +++ b/src/http/ngx_http.c Tue Jan 28 15:33:49 2014 -0800 @@ -1349,11 +1349,13 @@ ngx_http_add_address(ngx_conf_t *cf, ngx } } -#if (NGX_HTTP_SPDY && NGX_HTTP_SSL && !defined TLSEXT_TYPE_next_proto_neg) +#if (NGX_HTTP_SPDY && NGX_HTTP_SSL \ + && !defined TLSEXT_TYPE_application_layer_protocol_negotiation \ + && !defined TLSEXT_TYPE_next_proto_neg) if (lsopt->spdy && lsopt->ssl) { ngx_conf_log_error(NGX_LOG_WARN, cf, 0, - "nginx was built without OpenSSL NPN support, " - "SPDY is not enabled for %s", lsopt->addr); + "nginx was built without OpenSSL ALPN or NPN " + "support, SPDY is not enabled for %s", lsopt->addr); } #endif diff -r fdb67cfc957d -r f1b9281e8539 src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c Tue Jan 28 15:40:46 2014 +0400 +++ b/src/http/ngx_http_request.c Tue Jan 28 15:33:49 2014 -0800 @@ -705,13 +705,25 @@ ngx_http_ssl_handshake_handler(ngx_conne c->ssl->no_wait_shutdown = 1; -#if (NGX_HTTP_SPDY && defined TLSEXT_TYPE_next_proto_neg) +#if (NGX_HTTP_SPDY \ + && (defined TLSEXT_TYPE_application_layer_protocol_negotiation \ + || defined TLSEXT_TYPE_next_proto_neg)) { unsigned int len; const unsigned char *data; static const ngx_str_t spdy = ngx_string(NGX_SPDY_NPN_NEGOTIATED); - SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + len = 0; + +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + SSL_get0_alpn_selected(c->ssl->connection, &data, &len); +#endif + +#ifdef TLSEXT_TYPE_next_proto_neg + if (len == 0) { + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); + } +#endif if (len == spdy.len && ngx_strncmp(data, spdy.data, spdy.len) == 0) { ngx_http_spdy_init(c->read); diff -r fdb67cfc957d -r f1b9281e8539 src/http/ngx_http_spdy.h --- a/src/http/ngx_http_spdy.h Tue Jan 28 15:40:46 2014 +0400 +++ b/src/http/ngx_http_spdy.h Tue Jan 28 15:33:49 2014 -0800 @@ -17,10 +17,8 @@ #define NGX_SPDY_VERSION 2 -#ifdef TLSEXT_TYPE_next_proto_neg #define NGX_SPDY_NPN_ADVERTISE "\x06spdy/2" #define NGX_SPDY_NPN_NEGOTIATED "spdy/2" -#endif #define NGX_SPDY_STATE_BUFFER_SIZE 16 _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
